CINXE.COM

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><title>Attack Path Techniques | Tenable®</title><meta name="description" content="Attack Path Techniques"/><meta property="og:title" content="Attack Path Techniques"/><meta property="og:description" content="Attack Path Techniques"/><meta name="twitter:title" content="Attack Path Techniques"/><meta name="twitter:description" content="Attack Path Techniques"/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="apple-touch-icon" sizes="180x180" href="https://www.tenable.com/themes/custom/tenable/img/favicons/apple-touch-icon.png"/><link rel="manifest" href="https://www.tenable.com/themes/custom/tenable/img/favicons/manifest.json"/><link rel="mask-icon" href="https://www.tenable.com/themes/custom/tenable/img/favicons/safari-pinned-tab.svg" color="#0071dd"/><link rel="icon" href="https://www.tenable.com/favicon.ico" sizes="any"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/img/favicons/favicon.svg" type="image/svg+xml"/><meta name="msapplication-config" content="https://www.tenable.com/themes/custom/tenable/img/favicons/browserconfig.xml"/><meta name="theme-color" content="#ffffff"/><link rel="canonical" href="https://www.tenable.com/attack-path-techniques"/><link rel="alternate" hrefLang="x-default" href="https://www.tenable.com/attack-path-techniques"/><link rel="alternate" hrefLang="en" href="https://www.tenable.com/attack-path-techniques"/><meta name="next-head-count" content="19"/><script type="text/javascript">window.NREUM||(NREUM={});NREUM.info = {"agent":"","beacon":"bam.nr-data.net","errorBeacon":"bam.nr-data.net","licenseKey":"5febff3e0e","applicationID":"96358297","agentToken":null,"applicationTime":94.385023,"transactionName":"MVBabEEHChVXU0IIXggab11RIBYHW1VBDkMNYEpRHCgBHkJaRU52I2EXF1ISEAdVWxsRUBJdFUxWBQwIX0FDBEI=","queueTime":0,"ttGuid":"ae62c7b9a509b1e6"}; (window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"5febff3e0e",applicationID:"96358297"};;/*! For license information please see nr-loader-rum-1.274.0.min.js.LICENSE.txt */ (()=>{var e,t,r={8122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},2555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(8122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},9417:(e,t,r)=>{"use strict";r.d(t,{D0:()=>g,gD:()=>h,xN:()=>p});var n=r(993);const i=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var o=r(2614),a=r(944),s=r(384),c=r(8122);const u="[data-nr-mask]",d=()=>{const e={mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,harvestTimeSeconds:10,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},feature_flags:[],generic_events:{enabled:!0,harvestTimeSeconds:30,autoStart:!0},harvest:{tooManyRequestsDelay:60},jserrors:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},logging:{enabled:!0,harvestTimeSeconds:10,autoStart:!0,level:n.p_.INFO},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,harvestTimeSeconds:30,autoStart:!0},performance:{capture_marks:!1,capture_measures:!1},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:o.wk,inactiveMs:o.BB},session_replay:{autoStart:!0,enabled:!1,harvestTimeSeconds:60,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){i(t)?e.mask_selector="".concat(t,",").concat(u):""===t||null===t?e.mask_selector=u:(0,a.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){i(t)?e.block_selector+=",".concat(t):""!==t&&(0,a.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,a.R)(7,t)}},session_trace:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},soft_navigations:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},spa:{enabled:!0,harvestTimeSeconds:10,autoStart:!0},ssl:void 0,user_actions:{enabled:!0}}},l={},f="All configuration objects require an agent identifier!";function g(e){if(!e)throw new Error(f);if(!l[e])throw new Error("Configuration for ".concat(e," was never set"));return l[e]}function p(e,t){if(!e)throw new Error(f);l[e]=(0,c.a)(t,d());const r=(0,s.nY)(e);r&&(r.init=l[e])}function h(e,t){if(!e)throw new Error(f);var r=g(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},3371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>l});var n=r(8122),i=r(384),o=r(6154),a=r(9324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0},d={};function l(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!d[e])throw new Error("Runtime for ".concat(e," was never set"));return d[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");d[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(d[e],"harvestCount")||Object.defineProperty(d[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=d[e])}},9324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.274.0",i="PROD",o="CDN"},6154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>d,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(1863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,d=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},1687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>l,x3:()=>u});var n=r(7836),i=r(3606),o=r(860),a=r(2646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};d(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function d(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function l(e="",t="feature",r=!1){if(d(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},7836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(8990),o=r(3371),a=r(2646),s=r(5607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},d={},l=!1;try{l=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=h(e),d=c.length,l=0;l<d;l++)c[l].apply(a,r);var p=m()[s[e]];p&&p.push([f,e,r,a]);return a},get:v,listeners:h,context:g,buffer:function(e,t){const r=m();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!m()[s[e]]},debugId:r,backlog:l?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:l};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=h(e).concat(t)}function h(e){return n[e]||[]}function v(t){return d[t]=d[t]||e(f,t)}function m(){return f.backlog}}(void 0,"globalEE"),d=(0,n.Zm)();d.ee||(d.ee=u)},2646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},9908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(7836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},3606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(9908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},3878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},5607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(9566).bz)()},9566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(6154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},2614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},1863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},5284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(7836),i=r(6154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},8990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},6389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},5289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,sB:()=>a});var n=r(3878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>d,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>l});var n=r(6154),i=r(1863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function d(e,t){a()[e]=t}function l(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},2843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(3878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},3434:(e,t,r)=>{"use strict";r.d(t,{YM:()=>c});var n=r(7836),i=r(5607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];d(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return d(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,d,l;try{a=this,o=[...arguments],d="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],d],e)}i(r+"start",[o,a,s],d,c);try{return l=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],d,c),e}finally{i(r+"end",[o,a,l],d,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function d(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},993:(e,t,r)=>{"use strict";r.d(t,{ET:()=>o,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o="log";n.K7.logging},3969:(e,t,r)=>{"use strict";r.d(t,{TZ:()=>n,XG:()=>s,rs:()=>i,xV:()=>a,z_:()=>o});const n=r(860).K7.metrics,i="sm",o="cm",a="storeSupportabilityMetrics",s="storeEventMetrics"},6630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},6344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(2614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},4234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(7836),i=r(1687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},7603:(e,t,r)=>{"use strict";r.d(t,{j:()=>P});var n=r(860),i=r(2555),o=r(3371),a=r(9908),s=r(7836),c=r(1687),u=r(5289),d=r(6154),l=r(944),f=r(3969),g=r(384),p=r(6344);const h=["setErrorHandler","finished","addToTrace","addRelease","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],v=["setErrorHandler","finished","addToTrace","addRelease"];var m=r(1863),b=r(2614),y=r(993);var w=r(2646),A=r(3434);function R(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,l.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,A.YM)(i),a=new w.y(s.P);return a.level=n.level,a.customAttributes=n.customAttributes,o.inPlace(t,[r],"wrap-logger-",a),i}function E(){const e=(0,g.pV)();h.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,l.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function _(e,t,g=!1){t||(0,c.Ak)(e,"api");const h={};var w=s.ee.get(e),A=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var E="api-",_=E+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),j(E,n,!0,o||null===r?"session":void 0)(t,r)}function T(){}h.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,m.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},h.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),R(w,e,t,{customAttributes:r,level:i})},v.forEach((e=>{h[e]=j(E,e,!0,"api")})),h.addPageAction=j(E,"addPageAction",!0,n.K7.genericEvents),h.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,j(E,"setPageViewName",!0)()},h.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,l.R)(40,typeof t)}else(0,l.R)(39,typeof e)},h.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,l.R)(41,typeof e)},h.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,l.R)(42,typeof e)},h.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,l.R)(23,e)}},h[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},h[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},h.interaction=function(e){return(new T).get("object"==typeof e?e:{})};const S=T.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(_+"tracer",[(0,m.t)(),e,r],i,n.K7.spa,w),function(){if(A.emit((o?"":"no-")+"fn-start",[(0,m.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw A.emit("fn-err",[arguments,this,t],r),t}finally{A.emit("fn-end",[(0,m.t)()],r)}}}};function j(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[(0,m.t)(),...arguments],r?null:this,i,w),r?void 0:this}}function k(){r.e(296).then(r.bind(r,8778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,l.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{S[e]=j(_,e,void 0,g?n.K7.softNav:n.K7.spa)})),h.setCurrentRouteName=g?j(_,"routeName",void 0,n.K7.softNav):j(E,"routeName",!0,n.K7.spa),h.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,m.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},d.RI?(0,u.GG)((()=>k()),!0):k(),h}var N=r(9417),T=r(8122);const S={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},j={};var k=r(5284);const I=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let O=!1;function P(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:l={},exposed:f=!0}=t;l.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,N.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");j[e]=(0,T.a)(t,S);const r=(0,g.nY)(e);r&&(r.loader_config=j[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},d.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const h=(0,N.D0)(e.agentIdentifier),v=[c.beacon,c.errorBeacon];O||(h.proxy.assets&&(I(h.proxy.assets),v.push(h.proxy.assets)),h.proxy.beacon&&v.push(h.proxy.beacon),E(),(0,g.US)("activatedFeatures",k.B),e.runSoftNavOverSpa&&=!0===h.soft_navigations.enabled&&h.feature_flags.includes("soft_nav")),l.denyList=[...h.ajax.deny_list||[],...h.ajax.block_internal?v:[]],l.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,l),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=_(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),O=!0}},8374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>o,K7:()=>n,P3:()=>i});const n={ajax:"ajax",genericEvents:"generic_events",jserrors:"jserrors",logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},i={[n.pageViewEvent]:1,[n.pageViewTiming]:2,[n.metrics]:3,[n.jserrors]:4,[n.spa]:5,[n.ajax]:6,[n.sessionTrace]:7,[n.softNav]:8,[n.sessionReplay]:9,[n.logging]:10,[n.genericEvents]:11},o={[n.pageViewTiming]:"events",[n.ajax]:"events",[n.spa]:"events",[n.softNav]:"events",[n.metrics]:"jserrors",[n.jserrors]:"jserrors",[n.sessionTrace]:"browser/blobs",[n.sessionReplay]:"browser/blobs",[n.logging]:"browser/logs",[n.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.274.0.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.274.0.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),d=0;d<u.length;d++){var l=u[d];if(l.getAttribute("src")==r||l.getAttribute("data-webpack")==t+o){s=l;break}}if(!s){c=!0;var f={296:"sha512-gkYkZDAwQ9PwaDXs2YM+rNIdRej1Ac1mupWobRJ8eahQcXz6/sunGZCKklrzi5kWxhOGRZr2tn0rEKuLTXzfAA=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={840:0,374:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.274.0.PROD"]=self["webpackChunk:NRBA-1.274.0.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(8374);var e=i(944),t=i(6344),r=i(9566);class n{agentIdentifier;constructor(e=(0,r.LA)(16)){this.agentIdentifier=e}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(9417);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var d=i(7603);var l=i(1687),f=i(4234),g=i(5289),p=i(6154),h=i(384);const v=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function m(e){return!!(0,h.dV)().o.MO&&v(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(6389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,l.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,l.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(v(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,3861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(t.sharedAggregator)await t.sharedAggregator;else{t.sharedAggregator=i.e(296).then(i.bind(i,9337));const{EventAggregator:e}=await t.sharedAggregator;t.sharedAggregator=new e}if(!this.#t(this.featureName,o))return(0,l.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,6103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,l.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return m(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(6630);class A extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var R=i(9908),E=i(2843),x=i(3878),_=i(782),N=i(1863);class T extends y{static featureName=_.T;constructor(e,t=!0){super(e,_.T,t),p.RI&&((0,E.u)((()=>(0,R.p)("docHidden",[(0,N.t)()],void 0,_.T,this.ee)),!0),(0,x.sp)("pagehide",(()=>(0,R.p)("winPagehide",[(0,N.t)()],void 0,_.T,this.ee))),this.importAggregator(e))}}var S=i(3969);class j extends y{static featureName=S.TZ;constructor(e,t=!0){super(e,S.TZ,t),this.importAggregator(e)}}new class extends o{constructor(t,r){super(r),p.gm?(this.features={},(0,h.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(A),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,d.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,h.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[A,T,j],loaderType:"lite"})})()})();</script><link data-next-font="size-adjust" rel="preconnect" href="/" crossorigin="anonymous"/><link nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" rel="preload" href="/_next/static/css/ffa80ed36c27c549.css" as="style"/><link nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" rel="stylesheet" href="/_next/static/css/ffa80ed36c27c549.css" data-n-g=""/><noscript data-n-css="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5"></noscript><script defer="" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/_next/static/chunks/webpack-a707e99c69361791.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/chunks/framework-b0ec748c7a4c483a.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/chunks/main-dbb03be72fb978ea.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/chunks/pages/_app-9014959bd1a0f7dd.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/chunks/pages/attack-path-techniques-e026ee44094efb7d.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/fGlHUlsrtZ1JnQfd6DHsd/_buildManifest.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script><script src="/_next/static/fGlHUlsrtZ1JnQfd6DHsd/_ssgManifest.js" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5" defer=""></script></head><body data-base-url="https://www.tenable.com" data-ga4-tracking-id=""><div id="__next"><div class="app__wrapper"><header class="banner"><div class="nav-wrapper"><ul class="list-inline nav-brand"><li class="list-inline-item"><a href="https://www.tenable.com"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo.png" alt="Tenable"/></a></li><li class="list-inline-item"><a class="app-name" href="https://www.tenable.com/attack-path-techniques">Attack Path Techniques</a></li></ul><ul class="nav-dropdown nav"><li class="d-none d-md-block dropdown nav-item"><a aria-haspopup="true" href="#" class="dropdown-toggle nav-link" aria-expanded="false">Settings</a><div tabindex="-1" role="menu" aria-hidden="true" class="dropdown-menu dropdown-menu-right"><h6 tabindex="-1" class="dropdown-header">Links</h6><a href="https://cloud.tenable.com" role="menuitem" class="dropdown-item">Tenable Cloud <i class="fas fa-external-link-alt external-link"></i></a><a href="https://community.tenable.com/login" role="menuitem" class="dropdown-item">Tenable Community & Support <i class="fas fa-external-link-alt external-link"></i></a><a href="https://university.tenable.com/lms/index.php?r=site/sso&sso_type=saml" role="menuitem" class="dropdown-item">Tenable University <i class="fas fa-external-link-alt external-link"></i></a><div tabindex="-1" class="dropdown-divider"></div><span tabindex="-1" class="dropdown-item-text"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></span><div tabindex="-1" class="dropdown-divider"></div><button type="button" tabindex="0" role="menuitem" class="dropdown-item-link dropdown-item">Help</button></div></li></ul><div class="d-block d-md-none"><button type="button" aria-label="Toggle Overlay" class="btn btn-link nav-toggle"><i class="fas fa-bars fa-2x"></i></button></div></div></header><div class="mobile-nav closed"><ul class="flex-column nav"><li class="mobile-header nav-item"><a href="https://www.tenable.com" class="float-left nav-link"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo-teal.png" alt="Tenable"/></a><a class="float-right mr-2 nav-link"><i class="fas fa-times fa-lg"></i></a></li><li class="nav-item"><a class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/pipeline">Plugins Pipeline</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nessus/families?type=nessus">Nessus Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/was/families?type=was">WAS Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nnm/families?type=nnm">NNM Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/lce/families?type=lce">LCE Families</a></li><li class="no-capitalize nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/ot/families?type=ot">Tenable OT Security Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/families/about">About Plugin Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/release-notes">Release Notes</a></li></div></div><li class="nav-item"><a class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/search">Search Audit Files</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/items/search">Search Items</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/references">References</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/authorities">Authorities</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/documentation">Documentation</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div></div><li class="nav-item"><a class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioa">Indicators of Attack</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioe">Indicators of Exposure</a></li></div></div><li class="nav-item"><a class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/search">Search</a></li></div></div><li class="nav-item"><a class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques/search">Search</a></li></div></div><ul id="links-nav" class="flex-column mt-5 nav"><li class="nav-item"><a class="nav-link">Links<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a href="https://cloud.tenable.com" class="nav-link">Tenable Cloud</a></li><li class="nav-item"><a href="https://community.tenable.com/login" class="nav-link">Tenable Community & Support</a></li><li class="nav-item"><a href="https://university.tenable.com/lms/index.php?r=site/sso&sso_type=saml" class="nav-link">Tenable University</a></li></div></div><li class="nav-item"><a class="nav-link">Settings<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse py-3"><li class="nav-item"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></li></div></div></ul></ul></div><div class="app__container"><div class="app__content"><div class="card callout callout-alert callout-bg-danger mb-4"><div class="card-body"><h5 class="mb-2 text-white">Your browser is no longer supported</h5><p class="text-white">Please update or use another browser for this application to function correctly.</p></div></div><div class="row"><div class="col-3 col-xl-2 d-none d-md-block"><h6 class="side-nav-heading">Detections</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/plugins" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/plugins/pipeline" class="nav-link"><span>Plugins Pipeline</span></a></li><li class="false nav-item"><a href="/plugins/release-notes" class="nav-link"><span>Release Notes</span></a></li><li class="false nav-item"><a href="/plugins/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/plugins/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/plugins/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/plugins/nessus/families" class="nav-link"><span>Nessus Families</span></a></li><li class="false nav-item"><a href="/plugins/was/families" class="nav-link"><span>WAS Families</span></a></li><li class="false nav-item"><a href="/plugins/nnm/families" class="nav-link"><span>NNM Families</span></a></li><li class="false nav-item"><a href="/plugins/lce/families" class="nav-link"><span>LCE Families</span></a></li><li class="false nav-item"><a href="/plugins/ot/families" class="nav-link"><span>Tenable OT Security Families</span></a></li><li class="false nav-item"><a href="/plugins/families/about" class="nav-link"><span>About Plugin Families</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/audits" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/audits/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/audits/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/audits/search" class="nav-link"><span>Search Audit Files</span></a></li><li class="false nav-item"><a href="/audits/items/search" class="nav-link"><span>Search Items</span></a></li><li class="false nav-item"><a href="/audits/references" class="nav-link"><span>References</span></a></li><li class="false nav-item"><a href="/audits/authorities" class="nav-link"><span>Authorities</span></a></li><li class="false nav-item"><a href="/audits/documentation" class="nav-link"><span>Documentation</span></a></li><li class="nav-item"><a class="nav-link" href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div><li class="nav-item"><a type="button" class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/indicators" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/indicators/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/indicators/ioa" class="nav-link"><span>Indicators of Attack</span></a></li><li class="false nav-item"><a href="/indicators/ioe" class="nav-link"><span>Indicators of Exposure</span></a></li></div></ul><h6 class="side-nav-heading">Analytics</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/cve" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/cve/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/cve/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/cve/search" class="nav-link"><span>Search</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-down"></i></a></li><div class="side-nav-collapse collapse show"><li class="active nav-item"><a href="/attack-path-techniques" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/attack-path-techniques/search" class="nav-link"><span>Search</span></a></li></div></ul></div><div class="col-12 col-md-9 col-xl-10"><div class="row"><div class="col-md-8"><h1 class="h2">Attack Path Techniques</h1><p class="page-description">As part of a typical attack, adversaries leverage different tools and techniques to accomplish their objectives. Usually, a hacker attains an initial foothold over the network, whether by a phishing attack or exploiting a publicly exposed vulnerability. Hackers may then seem to maintain access over the machine (Persistence), elevate their privileges, and laterally pivot between network devices (Lateral Movement). Last, the hacker tries to complete their objective, for example, a denial of service of critical infrastructure, exfiltration of sensitive information, or distraction of existing services. This event is known as Attack Path. An attack path contains one or more Attack Techniques, allowing the hacker to accomplish his objective.</p></div><div class="col-md-4"><h4>RSS Feeds</h4><ul class="feed-list"><li><a target="_blank" href="/attack-path-techniques/feed">All Techniques</a></li></ul></div></div><div class="card"><div class="p-3 card-body"><div class="row"><div class="p-0 col"><div class="py-1 card card-body"><h4>Search</h4><input aria-label="Start typing to search Tenable Attack Path Techniques" placeholder="Start typing..." type="text" class="form-control form-control--search u-m-b-2 form-control" value=""/></div></div></div><div class="row"><div class="p-0 col"><div class="card card-body"><nav class="" aria-label="pagination"><ul class="justify-content-between pagination pagination"><li class="page-item disabled"><a class="page-link page-previous" href="https://www.tenable.com/attack-path-techniques?page=0">‹‹ Previous<span class="sr-only"> Previous</span></a></li><li class="page-item disabled"><a class="page-link page-text">Page 1 of 3 <span class="d-none d-sm-inline">• 131 Total</span></a></li><li class="page-item"><a class="page-link page-next" href="https://www.tenable.com/attack-path-techniques?page=2"><span class="sr-only">Next</span>Next ››</a></li></ul></nav><div class="table-responsive"><table class="results-table table"><thead><tr><th>ID</th><th>Name</th><th>Platform</th><th>Family</th><th>Framework</th></tr></thead><tbody><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1595.001_PRE">T1595.001_PRE</a></td><td>Active Scanning: Scanning IP Blocks</td><td>PRE</td><td><span>Reconnaissance</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1059.009_Azure">T1059.009_Azure</a></td><td>Command and Scripting Interpreter: Cloud API</td><td>Entra ID</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1556.007">T1556.007</a></td><td>Modify Authentication Process: Hybrid Identity</td><td>Entra ID</td><td><span>Credential Access</span>, <span>Defense Evasion</span>, <span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1098.003_Azure">T1098.003_Azure</a></td><td>Account Manipulation: Additional Cloud Roles (Azure)</td><td>Entra ID</td><td><span>Persistence</span>, <span>Privilege Escalation</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1484.002_Azure">T1484.002_Azure</a></td><td>Domain Policy Modification: Trust Modification(Azure)</td><td>Entra ID</td><td><span>Defense Evasion</span>, <span>Privilege Escalation</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1069.003_Azure">T1069.003_Azure</a></td><td>Permission Groups Discovery:Cloud Groups(Azure)</td><td>Entra ID</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1098.001_Azure">T1098.001_Azure</a></td><td>Account Manipulation: Additional Cloud Credentials</td><td>Entra ID</td><td><span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0846_ICS">T0846_ICS</a></td><td>Remote System Discovery</td><td>OT</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0814_ICS">T0814_ICS</a></td><td>Denial of Service</td><td>OT</td><td><span>Inhibit Response Function</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0891_ICS">T0891_ICS</a></td><td>Hardcoded Credentials</td><td>OT</td><td><span>Lateral Movement</span>, <span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1615_Windows">T1615_Windows</a></td><td>Group Policy Discovery</td><td>Windows</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0812_ICS">T0812_ICS</a></td><td>Default Credentials</td><td>OT</td><td><span>Lateral Movement</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0843_ICS">T0843_ICS</a></td><td>Program Download</td><td>OT</td><td><span>Lateral Movement</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0866_ICS">T0866_ICS</a></td><td>Exploitation of Remote Services</td><td>OT</td><td><span>Initial Access</span>, <span>Lateral Movement</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1499.004">T1499.004</a></td><td>Endpoint Denial of Service: Application or System Exploitation</td><td>Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS</td><td><span>Impact</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1548.005_Azure">T1548.005_Azure</a></td><td>Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access</td><td>Entra ID</td><td><span>Defense Evasion</span>, <span>Privilege Escalation</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/1078.001">1078.001</a></td><td>Valid Accounts: Default Accounts</td><td>Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS</td><td><span>Defense Evasion</span>, <span>Persistence</span>, <span>Privilege Escalation</span>, <span>Initial Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1078.004_Azure">T1078.004_Azure</a></td><td>Valid Accounts: Cloud Accounts</td><td>Entra ID</td><td><span>Defense Evasion</span>, <span>Persistence</span>, <span>Privilege Escalation</span>, <span>Initial Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1087.004_Azure">T1087.004_Azure</a></td><td>Account Discovery:Cloud Account(Azure)</td><td>Entra ID</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1606.002_Azure">T1606.002_Azure</a></td><td>Forge Web Credentials:SAML Tokens(Azure)</td><td>Entra ID</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T0820_ICS">T0820_ICS</a></td><td>Exploitation for Evasion</td><td>OT</td><td><span>Evasion</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1078.001_ICS">T1078.001_ICS</a></td><td>Valid Accounts: Default Accounts</td><td>Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS</td><td><span>Defense Evasion</span>, <span>Persistence</span>, <span>Privilege Escalation</span>, <span>Initial Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1133_Azure">T1133_Azure</a></td><td>Exploit Public-Facing Application (Azure)</td><td>Entra ID</td><td><span>Initial Access</span>, <span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1592.002_PRE">T1592.002_PRE</a></td><td>Gather Victim Host Information: Software</td><td>PRE</td><td><span>Reconnaissance</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1059.004_Linux">T1059.004_Linux</a></td><td>Command and Scripting Interpreter: Unix Shell</td><td>Linux</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1190_Aws">T1190_Aws</a></td><td>Exploit Public-Facing Application (Aws)</td><td>Aws</td><td><span>Initial Access</span>, <span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1218.007_Windows">T1218.007_Windows</a></td><td>System Binary Proxy Execution: Msiexec</td><td>Windows</td><td><span>Defense Evasion</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1219_Windows">T1219_Windows</a></td><td>Remote Access Software</td><td>Windows</td><td><span>Command and Control</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1003.008_Windows">T1003.008_Windows</a></td><td>OS Credential Dumping: /etc/passwd and /etc/shadow</td><td>Linux</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1552.002_Windows">T1552.002_Windows</a></td><td>Unsecured Credentials: Credentials in Registry </td><td>Windows</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1574.010_Windows">T1574.010_Windows</a></td><td>Hijack Execution Flow: Services File Permissions Weakness</td><td>Windows</td><td><span>Persistence</span>, <span>Privilege Escalation</span>, <span>Defense Evasion</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1053.005_Windows">T1053.005_Windows</a></td><td>Scheduled Task/Job: Scheduled Task</td><td>Windows</td><td><span>Execution</span>, <span>Persistence</span>, <span>Privilege Escalation</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1059.003_Windows">T1059.003_Windows</a></td><td>Command and Scripting Interpreter: Windows Command Shell</td><td>Windows</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1550.001_Windows">T1550.001_Windows</a></td><td>Material: Application Access Token</td><td>Windows</td><td><span>Lateral Movement</span>, <span>Defense Evasion</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1580_AWS">T1580_AWS</a></td><td>Cloud Infrastructure Discovery(AWS)</td><td>AWS</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1552.005_AWS">T1552.005_AWS</a></td><td>Cloud Instance Metadata API</td><td>AWS</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1555.004_Windows">T1555.004_Windows</a></td><td>Credentials from Password Stores: Windows Credential Manager</td><td>Windows</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1059.005_Windows">T1059.005_Windows</a></td><td>Command and Scripting Interpreter: Visual Basic</td><td>Windows</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1110.004_Windows">T1110.004_Windows</a></td><td>Brute Force: Credential Stuffing (Windows)</td><td>Windows</td><td><span>Credential Access</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1619_AWS">T1619_AWS</a></td><td>Cloud Storage Object Discovery(AWS)</td><td>AWS</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1098.001_AWS">T1098.001_AWS</a></td><td>Account Manipulation: Additional Cloud Credentials</td><td>AWS</td><td><span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1530_AWS">T1530_AWS</a></td><td>Data from Cloud Storage Object (AWS)</td><td>AWS</td><td><span>Collection</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1648_AWS">T1648_AWS</a></td><td>Serverless Execution</td><td>AWS</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1049_Windows">T1049_Windows</a></td><td>System Network Connections Discovery (Windows)</td><td>Windows</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1537_AWS">T1537_AWS</a></td><td>Transfer Data to Cloud Account</td><td>AWS</td><td><span>Exfiltration</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1133_AWS">T1133_AWS</a></td><td>External Remote Services</td><td>Windows</td><td><span>Initial Access</span>, <span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1136.003_AWS">T1136.003_AWS</a></td><td>Create Account: Cloud Account</td><td>AWS</td><td><span>Persistence</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1204_AWS">T1204_AWS</a></td><td>User Execution</td><td>AWS</td><td><span>Execution</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1528_AWS">T1528_AWS</a></td><td>Steal Application Access Token (AWS)</td><td>AWS</td><td><span>Collection</span></td><td>MITRE ATT&CK</td></tr><tr><td><a class="no-break" href="https://www.tenable.com/attack-path-techniques/T1069.003_AWS">T1069.003_AWS</a></td><td>Permission Groups Discovery: Cloud Groups (AWS)</td><td>AWS</td><td><span>Discovery</span></td><td>MITRE ATT&CK</td></tr></tbody></table></div><nav class="" aria-label="pagination"><ul class="justify-content-between pagination pagination"><li class="page-item disabled"><a class="page-link page-previous" href="https://www.tenable.com/attack-path-techniques?page=0">‹‹ Previous<span class="sr-only"> Previous</span></a></li><li class="page-item disabled"><a class="page-link page-text">Page 1 of 3 <span class="d-none d-sm-inline">• 131 Total</span></a></li><li class="page-item"><a class="page-link page-next" href="https://www.tenable.com/attack-path-techniques?page=2"><span class="sr-only">Next</span>Next ››</a></li></ul></nav></div></div></div></div></div></div></div></div></div><footer class="footer"><div class="container"><ul class="footer-nav"><li class="footer-nav-item"><a href="https://www.tenable.com/">Tenable.com</a></li><li class="footer-nav-item"><a href="https://community.tenable.com">Community & Support</a></li><li class="footer-nav-item"><a href="https://docs.tenable.com">Documentation</a></li><li class="footer-nav-item"><a href="https://university.tenable.com">Education</a></li></ul><ul class="footer-nav footer-nav-secondary"><li class="footer-nav-item">© 2024 Tenable®, Inc. All Rights Reserved</li><li class="footer-nav-item"><a href="https://www.tenable.com/privacy-policy">Privacy Policy</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/legal">Legal</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/section-508-voluntary-product-accessibility">508 Compliance</a></li></ul></div></footer><div class="Toastify"></div></div></div><script id="__NEXT_DATA__" type="application/json" nonce="nonce-MWQ2NWVhNDAtMDgzNi00M2JmLWI1NWUtNjUxM2Y0MjUwMDk5">{"props":{"pageProps":{"techniques":[{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1595.001_PRE","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"","mitigation":"","pseudo_logic":""},"attack_family":[{"name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1595.001_PRE","attack_name":"Active Scanning: Scanning IP Blocks","attack_notes":"","attack_platform":"PRE","attack_subtechnique":{"name":"Scanning IP Blocks","url":"https://attack.mitre.org/techniques/T1595/001/"},"attack_technique":{"name":"Active Scanning","url":"https://attack.mitre.org/techniques/T1595"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"None","collection_frequency":"DAILY","data_required":"Open Ports","data_source":"Internet","notes":"","product_dependencies":"","protocol":"HTTP, DNS","tenable_product":"Tenable Attack Surface Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"External Asset","start_node":"Internet"},"internal_notes":"[{'provider_code':'ASM', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Attack Surface Management"]],"tenable_release_date":"2024 Q3","tvdb_export_source":{"file_name":"diff-202409021630.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1595","created_at":"2024-09-02T16:36:42","updated_at":"2024-09-02T16:36:42"},"products_required_display":"Tenable Attack Surface Management","products_required_search_filter":"Tenable Attack Surface Management"},"sort":["2024 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1059.009_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Azure SP/APP has relationship of FULL_CONTROL/RESET to AzureObject"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1059.009_Azure","attack_name":"Command and Scripting Interpreter: Cloud API","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Cloud API","url":"https://attack.mitre.org/techniques/T1059/009/"},"attack_technique":{"name":"Command and Scripting Interpreter","url":"https://attack.mitre.org/techniques/T1059"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Standard Azure AD User","collection_frequency":"DAILY","data_required":"List of oauth permission","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"API","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Azure object","start_node":"SP/APP"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell[1], or software developer kits (SDKs) available for languages such as Python.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q3","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1059","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1556.007","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"The tenant manage the user","mitigation":"","pseudo_logic":"User has replicate in the cloud"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"},{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1556.007","attack_name":"Modify Authentication Process: Hybrid Identity","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Hybrid Identity","url":"https://attack.mitre.org/techniques/T1556/007/"},"attack_technique":{"name":"Modify Authentication Process","url":"https://attack.mitre.org/techniques/T1556"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Azure Users","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Standard AD User","collection_frequency":"DAILY","data_required":"List of Domain Computers and Users","data_source":"Active Directory","notes":"","product_dependencies":"","protocol":"LDAP","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Authenticated AD User","collection_frequency":"DAILY","data_required":"List of Domain Users ","data_source":"Active Directory","notes":"Plugin ID: 167250","product_dependencies":"AD Start or Identity Scan","protocol":"LDAP","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"Completed","graph":{"end_node":"User cloud","start_node":"User domain"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None},{'provider_code':'NESSUS', 'provider_detection_id':167250, 'detection_code':'LDAP Active Directory - Person Enumeration', 'reason_id':None, 'reason_code_name':None}, {'provider_code':'AD', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q3","tvdb_export_source":{"file_name":"diff-202409100030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1556","created_at":"2024-09-10T00:36:42","updated_at":"2024-09-10T00:36:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1098.003_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":""},"attack_family":[{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003/"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1098.003_Azure","attack_name":"Account Manipulation: Additional Cloud Roles (Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Additional Cloud Roles","url":"https://attack.mitre.org/techniques/T1098/003/"},"attack_technique":{"name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Application permissions","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Role","start_node":"App"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).","references":[],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1098","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1484.002_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"Computer contain the service 'adfs","mitigation":"","pseudo_logic":"Computer has relationship to service name 'adfs'"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1484.002_Azure","attack_name":"Domain Policy Modification: Trust Modification(Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Trust Modification","url":"https://attack.mitre.org/techniques/T1484/002"},"attack_technique":{"name":"Domain Policy Modification","url":"https://attack.mitre.org/techniques/T1484"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Tenant properties","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Windows Services","data_source":"Windows machines","notes":"Plugin ID: 44401","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"Completed","graph":{"end_node":"SAML Token","start_node":"Computer"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'NESSUS', 'provider_detection_id':44401, 'detection_code':'Microsoft Windows SMB Service Config Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.","references":[{"name":"Microsoft Windows SMB Service Config Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/44401"}],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Identity Exposure","Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1484","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure and Tenable Vulnerability Management","products_required_search_filter":"Tenable Identity Exposure OR Tenable Vulnerability Management"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1069.003_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":""},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1069.003_Azure","attack_name":"Permission Groups Discovery:Cloud Groups(Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Cloud Groups","url":"https://attack.mitre.org/techniques/T1069/003"},"attack_technique":{"name":"Permission Groups Discovery","url":"https://attack.mitre.org/techniques/T1069"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Azure Groups permissions","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"Completed","graph":{"end_node":"Group","start_node":"RabcGraphObject"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1069","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1098.001_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"User has relationship of OWNER/Full_CONTROL to app/spn"},"attack_family":[{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1098.001_Azure","attack_name":"Account Manipulation: Additional Cloud Credentials","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Additional Cloud Credentials","url":"https://attack.mitre.org/techniques/T1098/001/"},"attack_technique":{"name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"SPN/APP","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"ROLES","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"SPN","start_node":"User"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. [1][2][3] These credentials include both x509 keys and passwords. [1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1098","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0846_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Assets that sit on the same backplane can talk and see each other."},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0846_ICS","attack_name":"Remote System Discovery","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Remote System Discovery","url":"https://attack.mitre.org/techniques/T0846/"},"attack_technique":{"name":"Remote System Discovery","url":"https://attack.mitre.org/techniques/T0846/"},"attack_testing":"","attack_version":"1.1","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Tenable OT Backplane Mapping","data_source":"OT backplane data","notes":"","product_dependencies":"","protocol":"Depends on the vendor","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":""},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Ot","start_node":"Ot"},"internal_notes":"[{'provider_code':'OT', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407180210.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0846_ICS","created_at":"2024-07-18T02:21:42","updated_at":"2024-07-18T02:21:42"},"products_required_display":"Tenable OT Security","products_required_search_filter":"Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0814_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Inhibit Response Function","url":"https://attack.mitre.org/tactics/TA0107/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0814_ICS","attack_name":"Denial of Service","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Denial of Service","url":"https://attack.mitre.org/techniques/T0814/"},"attack_technique":{"name":"Denial of Service","url":"https://attack.mitre.org/techniques/T0814/"},"attack_testing":"","attack_version":"1.1","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by detected by Tenable OT Security plugins","data_source":"OT Device","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-389"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0814_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0891_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0109/"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0110/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0891_ICS","attack_name":"Hardcoded Credentials","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Hardcoded Credentials","url":"https://attack.mitre.org/techniques/T0891/"},"attack_technique":{"name":"Hardcoded Credentials","url":"https://attack.mitre.org/techniques/T0891/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by detected by Tenable OT Security plugins","data_source":"OT Device","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include: Username/Passwords, Cryptographic keys/Certificates, API tokens, Unlike Default Credentials, these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-391"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0891_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1615_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003e\u003cp\u003e\u003ccode\u003eDomain User\u003c/code\u003e\u0026#160;or Computer is linked to \u003cspan\u003eGroup Policy.\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eAn account can modify\u0026#160;\u003cspan\u003eGroup Policy.\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e","mitigation":"\u003cli\u003eRemove Group Policy Object (GPO) modify permissions.\u003c/li\u003e\u003cli\u003eLimit the account that is linked to the GPO.\u003c/li\u003e","pseudo_logic":"\u003cli\u003e\u003cp\u003eFor each \u003cspan\u003eGroup Policy\u003c/span\u003e\u0026#160;in GraphDB:\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eIf\u0026#160;\u003cspan\u003e\u003ccode\u003eGroup Policy\u003c/code\u003e has \u003cem\u003eWRITE\u003c/em\u003e or \u003cem\u003eFULL ACCESS\u003c/em\u003e permission by non-builtin \u003ccode\u003eDomainObject:\u003c/code\u003e\u003c/span\u003e\u003col\u003e\u003cli\u003eRecursively identify all inherited\u0026#160;\u003cspan\u003e\u003cspan\u003e\u003ccode\u003eOrganizational Units.\u003c/code\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003e\u003cspan\u003e\u003ccode\u003eFor each \u003cspan\u003eOrganizational Unit:\u003c/span\u003e\u003c/code\u003e\u003c/span\u003e\u003c/span\u003e\u003col\u003e\u003cli\u003eFor\u0026#160;\u003ccode\u003eDomainUsers\u003c/code\u003e and \u003ccode\u003eDomainComputers\u003c/code\u003e under the\u0026#160;\u003ccode\u003eOrganizational Unit:\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eDomainUsers\u003c/code\u003e and \u003ccode\u003eDomainComputers is vulnerable to Group Policy Modification by\u0026#160;\u003c/code\u003eDomainObject.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1615_Windows","attack_name":"Group Policy Discovery","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Group Policy Discovery","url":"https://attack.mitre.org/techniques/T1615/"},"attack_technique":{"name":"Group Policy Discovery","url":"https://attack.mitre.org/techniques/T1615/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eFrom a working Domain (Active Directory) environment:\u003col\u003e\u003cli\u003e\u003cp\u003eCreate a new Group Policy and two Domain Users.\u003c/p\u003e\u003c/li\u003e\u003cli\u003eLink the Group Policy to an Organizational Unit.\u003c/li\u003e\u003cli\u003eAdd one User to the\u0026#160;Organizational Unit.\u003c/li\u003e\u003cli\u003eAdd WRITE or FULL CONTROL to the Group Policy to the second User.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;Copy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cdiv\u003e\u003cdiv class=\"syntaxhighlighter sh-confluence nogutter powershell\"\u003e\u003cdiv class=\"toolbar\"\u003e\u003cspan\u003e\u003ca href=\"#\" class=\"toolbar_item command_help help\"\u003e?\u003c/a\u003e\u003c/span\u003e\u003c/div\u003e\u003ctable border=\"0\" cellpadding=\"0\" cellspacing=\"0\"\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd class=\"code\"\u003e\u003cdiv class=\"container\" title=\"Hint: double-click to select code\"\u003e\u003cdiv class=\"line number1 index0 alt2\"\u003e\u003ccode class=\"powershell comments\"\u003e#This command creates a GPO named TestGPO, links it to the Marketing OU in the contoso.com domain, and grants the \u0026#34;Domain Users\u0026#34; security group permissions to edit the GPO.\u003c/code\u003e\u003c/div\u003e\u003cdiv class=\"line number2 index1 alt1\"\u003e\u003ccode class=\"powershell spaces\"\u003e\u0026#160;\u003c/code\u003e\u0026#160;\u003c/div\u003e\u003cdiv class=\"line number3 index2 alt2\"\u003e\u003ccode class=\"powershell plain\"\u003enew\u003c/code\u003e\u003ccode class=\"powershell keyword\"\u003e-gpo\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-name\u003c/code\u003e \u003ccode class=\"powershell plain\"\u003eTestGPO | new\u003c/code\u003e\u003ccode class=\"powershell keyword\"\u003e-gplink\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-target\u003c/code\u003e \u003ccode class=\"powershell string\"\u003e\u0026#34;ou=marketing,dc=contoso,dc=com\u0026#34;\u003c/code\u003e \u003ccode class=\"powershell plain\"\u003e| \u003c/code\u003e\u003ccode class=\"powershell keyword\"\u003eset\u003c/code\u003e\u003ccode class=\"powershell keyword\"\u003e-gppermissions\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-permissionlevel\u003c/code\u003e \u003ccode class=\"powershell plain\"\u003egpoedit \u003c/code\u003e\u003ccode class=\"powershell keyword\"\u003e-targetname\u003c/code\u003e \u003ccode class=\"powershell string\"\u003e\u0026#34;Domain Users\u0026#34;\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-targettype\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003egroup\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated AD user","collection_frequency":"DAILY","data_required":"Group Policy objects","data_source":"Active Directory","notes":"","product_dependencies":"","protocol":"LDAP/S(389/636)","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Authenticated AD user","collection_frequency":"DAILY","data_required":"Organizational Unit objects","data_source":"Active Directory","notes":"Plugin ID: 28-C-GPO-SD-CONSISTENCY:R-GPO-SD-CONSISTENCY-ACL","product_dependencies":"","protocol":"LDAP/S(389/636)","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Standard AD User","collection_frequency":"DAILY","data_required":"List of Computers, Domain Users, Groups and Memberships","data_source":"Active Directory","notes":"","product_dependencies":"","protocol":"LDAP","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"We may miss some complex inheritance or WMI filtering scenarios"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"We may alert on some complex non-inheritance or WMI filtering scenarios"},"future_work":"Consider using T.ad analysis to calculate effective GPO","graph":{"end_node":"DomainComputer OR DomainUser","start_node":"Group Policy"},"internal_notes":"[{'provider_code': 'AD', 'provider_detection_id': 28, 'detection_code': 'C-GPO-SD-CONSISTENCY', 'reason_id': 72, 'reason_code_name':'R-GPO-SD-CONSISTENCY-ACL'},{'provider_code': 'AD', 'provider_detection_id':None, 'detection_code': None, 'reason_id': None, 'reason_code_name': None}]","introduction":"Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \\\\SYSVOL\\\\Policies\\.[","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202406140010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1615_Windows","created_at":"2024-06-14T00:21:18","updated_at":"2024-06-14T00:21:18"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0812_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0109/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0812_ICS","attack_name":"Default Credentials","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Default Credentials","url":"https://attack.mitre.org/techniques/T0812/"},"attack_technique":{"name":"Default Credentials","url":"https://attack.mitre.org/techniques/T0812/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by detected by Tenable OT Security plugins","data_source":"OT Device","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-387"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0812_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0843_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Active connection to a controller, where the port is in the controller's management ports attribute"},"attack_family":[{"name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0109/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0843_ICS","attack_name":"Program Download","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Program Download","url":"https://attack.mitre.org/techniques/T0843/"},"attack_technique":{"name":"Program Download","url":"https://attack.mitre.org/techniques/T0843/"},"attack_testing":"","attack_version":"1.1","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active Connections to controller on management port","data_source":"Network scans and traffic","notes":"Plugin ID: 64582","product_dependencies":"Advanced Network Scan","protocol":"Depends on the vendor","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active Connections to controller on management port","data_source":"Network scans and traffic","notes":"","product_dependencies":"","protocol":"Depends on the vendor","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"Available management port on controller with no active connection"},"false_positives":{"likelihood":"LOW","notes":"Authentication methods that are not bypassed by design","scenarios":"None"},"future_work":"","graph":{"end_node":"Controller","start_node":"Computer | Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':64582, 'detection_code':'Netstat Connection Information', 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may perform a program download to transfer a user program to a controller.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0843_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0866_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},{"name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0866_ICS","attack_name":"Exploitation of Remote Services","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Exploitation of Remote Services","url":"https://attack.mitre.org/techniques/T0866/"},"attack_technique":{"name":"Exploitation of Remote Services","url":"https://attack.mitre.org/techniques/T0866/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by detected by Tenable OT Security plugins","data_source":"OT Device","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0866_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1499.004","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Impact","url":"https://attack.mitre.org/tactics/TA0040"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1499.004","attack_name":"Endpoint Denial of Service: Application or System Exploitation","attack_notes":"","attack_platform":"Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS","attack_subtechnique":{"name":"Application or System Exploitation","url":"https://attack.mitre.org/techniques/T1499/004/"},"attack_technique":{"name":"Endpoint Denial of Service","url":"https://attack.mitre.org/techniques/T1499"},"attack_testing":"","attack_version":"1.2","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by tenable plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-393"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202405310010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1499","created_at":"2024-05-31T00:21:16","updated_at":"2024-05-31T00:21:16"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1548.005_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Azure GraphObject has relationship of FULL_CONTROL/RESET to GraphObject"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1548.005_Azure","attack_name":"Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Temporary Elevated Cloud Access","url":"https://attack.mitre.org/techniques/T1548/005/"},"attack_technique":{"name":"Abuse Elevation Control Mechanism","url":"https://attack.mitre.org/techniques/T1548/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Standard Azure AD User","collection_frequency":"DAILY","data_required":"Application permissions","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"API","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"GraphObject","start_node":"GraphObject"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1548","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"1078.001","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"1078.001","attack_name":"Valid Accounts: Default Accounts","attack_notes":"","attack_platform":"Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS","attack_subtechnique":{"name":"Default Accounts","url":"https://attack.mitre.org/techniques/T1078/001/"},"attack_technique":{"name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"},"attack_testing":"","attack_version":"1.2","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-388"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202408010030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"1078","created_at":"2024-08-01T00:36:43","updated_at":"2024-08-01T00:36:43"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1078.004_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Azure GraphObject has relationship of FULL_CONTROL/RESET to GraphObject"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1078.004_Azure","attack_name":"Valid Accounts: Cloud Accounts","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Cloud Accounts","url":"https://attack.mitre.org/techniques/T1078/004/"},"attack_technique":{"name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Standard Azure AD User","collection_frequency":"DAILY","data_required":"List of cloud Users, Groups, roles and etc.. + there permission","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"API","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"GraphObject","start_node":"GraphObject"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1078","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1087.004_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"The tenant manage the user","mitigation":"","pseudo_logic":"User has relationship of MANAGE to Tenant"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1087.004_Azure","attack_name":"Account Discovery:Cloud Account(Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"Cloud Account","url":"https://attack.mitre.org/techniques/T1087/004"},"attack_technique":{"name":"Account Discovery","url":"https://attack.mitre.org/techniques/T1087"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Azure Users","data_source":"Entra ID","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"Completed","graph":{"end_node":"User","start_node":"Tenant"},"internal_notes":"[{'provider_code':'IE', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1087","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1606.002_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"ADFS is enable on the Tenant","mitigation":"","pseudo_logic":""},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1606.002_Azure","attack_name":"Forge Web Credentials:SAML Tokens(Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"SAML Tokens","url":"https://attack.mitre.org/techniques/T1606/002"},"attack_technique":{"name":"Forge Web Credentials","url":"https://attack.mitre.org/techniques/T1606"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Windows Services","data_source":"Windows machines","notes":"Plugin ID: 44401","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"Completed","graph":{"end_node":"Tenant","start_node":"SAML Token"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':44401, 'detection_code':'Microsoft Windows SMB Service Config Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the \u003ccode\u003eNotOnOrAfter\u003c/code\u003e value of the \u003ccode\u003econditions ...\u003c/code\u003e element in a token. This value can be changed using the \u003ccode\u003eAccessTokenLifetime\u003c/code\u003e in a \u003ccode\u003eLifetimeTokenPolicy\u003c/code\u003e.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)","references":[{"name":"Microsoft Windows SMB Service Config Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/44401"}],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407150010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1606","created_at":"2024-07-15T00:21:42","updated_at":"2024-07-15T00:21:42"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T0820_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Evasion","url":"https://attack.mitre.org/tactics/TA0103/"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T0820_ICS","attack_name":"Exploitation for Evasion","attack_notes":"","attack_platform":"OT","attack_subtechnique":{"name":"Exploitation for Evasion","url":"https://attack.mitre.org/techniques/T0820/"},"attack_technique":{"name":"Exploitation for Evasion","url":"https://attack.mitre.org/techniques/T0820/"},"attack_testing":"","attack_version":"1.1","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by detected by Tenable OT Security plugins","data_source":"OT Device","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable OT Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Ot"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'OT', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-383"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable OT Security"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202407220010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T0820_ICS","created_at":"2024-07-22T00:21:43","updated_at":"2024-07-22T00:21:43"},"products_required_display":"Tenable Vulnerability Management and Tenable OT Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable OT Security"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1078.001_ICS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Find vulnerable ot devices, where the relevant plugin can be classified into this vulnerability type"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1078.001_ICS","attack_name":"Valid Accounts: Default Accounts","attack_notes":"","attack_platform":"Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS","attack_subtechnique":{"name":"Default Accounts","url":"https://attack.mitre.org/techniques/T1078/001/"},"attack_technique":{"name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"},"attack_testing":"","attack_version":"1.2","collection_mechanism":[{"access_rights":"","collection_frequency":"DAILY","data_required":"Active vulnerabilities detected by Tenable Vulnerability Management plugins","data_source":"Computer","notes":"","product_dependencies":"","protocol":"","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"Plugins that are not being categorized in APA"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"Invalid plugin hit"},"future_work":"","graph":{"end_node":"","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.","references":[],"release_notes":"","research_status":{"horizon":"2024 Q2","notes":"","stage":"DONE","team":"Research","tickets":"https://tenable.atlassian.net/browse/RESC-388"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q2","tvdb_export_source":{"file_name":"diff-202408270030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1078","created_at":"2024-08-27T00:36:42","updated_at":"2024-08-27T00:36:42"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1133_Azure","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003e\u003cp\u003eInstance is vulnerable to \u003ccode\u003eRCE\u003c/code\u003e\u0026#160;vulnerability.\u003c/p\u003e\u003c/li\u003e","mitigation":"\u003cli\u003ePatch\u003c/li\u003e\u003cli\u003eDo not expose the instance to the internet.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each instance in the AWS account:\u003col\u003e\u003cli\u003e\u003cp\u003eIf an instance is exposed to the internet:\u0026#160;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eIf the computer is vulnerable to RCE:\u003c/p\u003e\u003col\u003e\u003cli\u003eComputer is vulnerable to Exploit Public-Facing Application.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1133_Azure","attack_name":"Exploit Public-Facing Application (Azure)","attack_notes":"","attack_platform":"Entra ID","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"Exploit Public-Facing Application","url":"https://attack.mitre.org/techniques/T1133/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eSet up an unpatched machine that is exposed to the internet.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Vulnerabilities","data_source":"Cloud instance","notes":"","product_dependencies":"","protocol":"Any","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Internet Expose","data_source":"Cloud instance","notes":"","product_dependencies":"","protocol":"Any","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"future_work":"fix me","graph":{"end_node":"Computer","start_node":"Internet"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable Cloud Security"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202407090010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1133_Azure","created_at":"2024-07-09T00:21:42","updated_at":"2024-07-09T00:21:42"},"products_required_display":"Tenable Vulnerability Management and Tenable Cloud Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable Cloud Security"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1592.002_PRE","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"The computer is listening in this port","mitigation":"\u003cspan\u003eNone\u003c/span\u003e","pseudo_logic":"add rel from Internet to the computer in the name of the port we found"},"attack_family":[{"name":"Reconnaissance","url":"https://attack.mitre.org/tactics/TA0043"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1592.002_PRE","attack_name":"Gather Victim Host Information: Software","attack_notes":"","attack_platform":"PRE","attack_subtechnique":{"name":"Software","url":"https://attack.mitre.org/techniques/T1592/002/"},"attack_technique":{"name":"Gather Victim Host Information","url":"https://attack.mitre.org/techniques/T1592"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"None","collection_frequency":"DAILY","data_required":"Software and Services","data_source":"Internet","notes":"","product_dependencies":"","protocol":"HTTP, DNS","tenable_product":"Tenable Attack Surface Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Computer","start_node":"Software"},"internal_notes":"[{'provider_code':'ASM', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).","references":[],"release_notes":"","research_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Attack Surface Management"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1592","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Attack Surface Management","products_required_search_filter":"Tenable Attack Surface Management"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1059.004_Linux","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"if one of the user have /bin/bash then add glif of Unix shell on the computer that we run the scan"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1059.004_Linux","attack_name":"Command and Scripting Interpreter: Unix Shell","attack_notes":"","attack_platform":"Linux","attack_subtechnique":{"name":"Unix Shell","url":"https://attack.mitre.org/techniques/T1059/004/"},"attack_technique":{"name":"Command and Scripting Interpreter","url":"https://attack.mitre.org/techniques/T1059"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"SSH Scan","collection_frequency":"HOURLY","data_required":"User List Enumeration","data_source":"Linux machines","notes":"Plugin ID: 95928","product_dependencies":"Advanced Network Scan","protocol":"SSH","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"Computer","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':95928, 'detection_code':'Linux User List Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.[1][2] Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.","references":[{"name":"Linux User List Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/95928"}],"release_notes":"","research_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1059","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1190_Aws","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003e\u003cp\u003eInstance is vulnerable to \u003ccode\u003eRCE\u003c/code\u003e\u0026#160;vulnerability.\u003c/p\u003e\u003c/li\u003e","mitigation":"\u003cli\u003ePatch\u003c/li\u003e\u003cli\u003eDo not expose the instance to the internet.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each instance in the AWS account:\u003col\u003e\u003cli\u003e\u003cp\u003eIf an instance is exposed to the internet:\u0026#160;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eIf the computer is vulnerable to RCE:\u003c/p\u003e\u003col\u003e\u003cli\u003eComputer is vulnerable to Exploit Public-Facing Application.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1190_Aws","attack_name":"Exploit Public-Facing Application (Aws)","attack_notes":"","attack_platform":"Aws","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"Exploit Public-Facing Application","url":"https://attack.mitre.org/techniques/T1190/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eSet up an unpatched machine that is exposed to the internet.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Vulnerabilities","data_source":"Cloud instance","notes":"","product_dependencies":"","protocol":"Any","tenable_product":"Tenable Vulnerability Management"},{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"Internet Exposure","data_source":"Cloud instance","notes":"","product_dependencies":"","protocol":"Any","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"future_work":"fix me","graph":{"end_node":"Computer","start_node":"Internet"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'NESSUS', 'provider_detection_id':'CVE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}, {'provider_code':'WAS', 'provider_detection_id':'CWE', 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494?atlOrigin=eyJpIjoiYjYxYTRmMTc3ODZiNDhkMGJjMThhYzc4YmFjMDAwZjciLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"tenable_products_required":[["Tenable Vulnerability Management","Tenable Cloud Security"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202408270030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1190_Aws","created_at":"2024-08-27T00:36:42","updated_at":"2024-08-27T00:36:42"},"products_required_display":"Tenable Vulnerability Management and Tenable Cloud Security","products_required_search_filter":"Tenable Vulnerability Management OR Tenable Cloud Security"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1218.007_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"Disable AlwaysInstallElevated","pseudo_logic":"if status is enable then the tech is valid"},"attack_family":[{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1218.007_Windows","attack_name":"System Binary Proxy Execution: Msiexec","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Msiexec","url":"https://attack.mitre.org/techniques/T1218/007/"},"attack_technique":{"name":"System Binary Proxy Execution","url":"https://attack.mitre.org/techniques/T1218"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"DAILY","data_required":"AlwaysInstallElevated policy Status","data_source":"Windows machines","notes":"Plugin ID: 162174","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"Completed","graph":{"end_node":"Computer","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':162174, 'detection_code':'Windows Always Installed Elevated Status', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).[1] The Msiexec.exe binary may also be digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[2][3] Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.","references":[{"name":"Windows Always Installed Elevated Status","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/162174"}],"release_notes":"","research_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1218","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1219_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eUser is a member of Domain Group\u003c/li\u003e","mitigation":"\u003cspan\u003eNone\u003c/span\u003e","pseudo_logic":"\u003cli\u003eFor each \u003ccode\u003eActive Directory\u003c/code\u003e in \u003ccode\u003eForest\u003c/code\u003e\u003col\u003e\u003cli\u003eFor each \u003ccode\u003eGroup\u003c/code\u003e in \u003ccode\u003eActive Directory\u003c/code\u003e\u003col\u003e\u003cli\u003eCreate membership relationship of domain Object to \u003ccode\u003eGroup\u003c/code\u003e based on \u003ccode\u003emember\u003c/code\u003e attribute\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eFor each User in\u0026nbsp;Active Directory\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eRecursively identify (nested) Group memberships:\\\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003e\u003ccode style=\"letter-spacing: 0.0px;\"\u003eIf Group\u003c/code\u003e\u003cspan\u003e\u003cspan style=\"letter-spacing: 0.0px;\"\u003e\u0026nbsp;is a member of local Computer group OR has a\u0026nbsp;\u003c/span\u003e\u003c/span\u003epermission\u003cspan\u003e\u003cspan style=\"letter-spacing: 0.0px;\"\u003e\u0026nbsp;on \u003c/span\u003e\u003c/span\u003e\u003ccode style=\"letter-spacing: 0.0px;\"\u003eDomainObject:\u003c/code\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003ccode\u003eDomain\u0026nbsp;\u003c/code\u003e\u003cspan\u003eUser is vulnerable to\u0026nbsp;Domain Groups technique to \u003ccode\u003eDomain Group\u003c/code\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Command and Control","url":"https://attack.mitre.org/tactics/TA0011"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1219_Windows","attack_name":"Remote Access Software","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Remote Access Software","url":"https://attack.mitre.org/techniques/T1219/"},"attack_technique":{"name":"Remote Access Software","url":"https://attack.mitre.org/techniques/T1219/"},"attack_testing":"Manual Test:\n\u003cli\u003eCreate a new group in the Domain\u003c/li\u003e\u003cli\u003eCreate a new User in the Domain\u003c/li\u003e\u003cli\u003eAdd the user to the group\u003c/li\u003e\nAutomatic Test:\nCopy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cpre class=\"syntaxhighlighter-pre\" data-syntaxhighlighter-params=\"brush: powershell; gutter: false; theme: Confluence\" data-theme=\"Confluence\"\u003eNew-ADGroup -Name \"RODC Admins\" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName \"RODC Administrators\" -Path \"CN=Users,DC=Fabrikam,DC=Com\" -Description \"Members of this group are RODC Administrators\"\u003c/pre\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"DAILY","data_required":"List of Software","data_source":"Windows machines","notes":"Plugin ID: 20811","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"Completed","graph":{"end_node":"Computer","start_node":"Software"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':20811, 'detection_code':'Microsoft Windows Installed Software Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment","references":[{"name":"Microsoft Windows Installed Software Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/20811"}],"release_notes":"","research_status":{"horizon":"2024 Q1","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2024 Q1","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1219_Windows","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2024 Q1"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1003.008_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eDomain User or Group has the \u0026#34;\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u0026#34; and \u0026#34;\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\u0026#34;\u0026#160;\u003c/span\u003epermissions.\u003cspan\u003e\u0026#160;\u003c/span\u003e\u003c/li\u003e","mitigation":"\u003cli\u003eRemove\u0026nbsp;\u003cspan\u003e\"\u003c/span\u003e\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u003cspan\u003e\" and\u0026nbsp;\"\u003c/span\u003e\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\" for Active Directory domain object.\u003c/span\u003e\u003c/li\u003e","pseudo_logic":"\u003cli\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eFor Active Directory in Forest:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eFor each \u003ccode\u003eDomain User\u003c/code\u003e\u0026#160;or Domain Group that has set the\u0026#160;\u003cspan\u003e\u0026#34;\u003c/span\u003e\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u003cspan\u003e\u0026#34; and\u003cb\u003e\u003ci\u003e\u0026#160;\u003c/i\u003e\u003c/b\u003e\u0026#34;\u003c/span\u003e\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\u0026#34;:\u003c/span\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003e\u003cspan\u003eActive\u0026#160;\u003c/span\u003e\u003cfont face=\"SFMono-Medium, SF Mono, Segoe UI Mono, Roboto Mono, Ubuntu Mono, Menlo, Courier, monospace\"\u003eDirectory is\u003c/font\u003e\u0026#160;vulnerable to \u003ccode\u003eDCSYNC\u003c/code\u003e originating from\u003ccode\u003e Domain User or Group.\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1003.008_Windows","attack_name":"OS Credential Dumping: /etc/passwd and /etc/shadow","attack_notes":"","attack_platform":"Linux","attack_subtechnique":{"name":"/etc/passwd and /etc/shadow","url":"https://attack.mitre.org/techniques/T1003/008/"},"attack_technique":{"name":"OS Credential Dumping","url":"https://attack.mitre.org/techniques/T1003/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new user in Active Directory.\u003c/li\u003e\u003cli\u003eAdd the permission 'Replicating Directory Changes' and 'Replicating Directory Changes All' to the user.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;Copy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cpre class=\"syntaxhighlighter-pre\"\u003e#Get all permissions in the domain, filtered to the two critical replication permissions represented by their GUIDs Import-Module ActiveDirectory cd 'AD:DC=TEST,DC=TEST' $AllReplACLs = (Get-AcL).Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} #Filter this list to RIDs above 1000 which will exclude well-known Administrator groups foreach ($ACL in $AllReplACLs) { $user = New-Object System.Security.Principal.NTAccount($ACL.IdentityReference) $SID = $user.Translate([System.Security.Principal.SecurityIdentifier]) $RID = $SID.ToString().Split(\u0026#34;-\u0026#34;)[7] if([int]$RID -gt 1000) { Write-Host \u0026#34;Permission to Sync AD granted to:\u0026#34; $ACL.IdentityReference } }Run Mimikatz and execute this command Lsadump::dcsync /domain:[YOUR DOMAIN] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT]\u003c/pre\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Linux Users","data_source":"Linux machines","notes":"Plugin ID: 95928","product_dependencies":"Advanced Network Scan","protocol":"SSH","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"NoneFalse PositiveNone"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"future_work":"Complete","graph":{"end_node":"User","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':95928, 'detection_code':'Linux User List Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.","references":[{"name":"Linux User List Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/95928"}],"release_notes":"","research_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q4","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1003","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1552.002_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eDomain User or Group has the \u0026#34;\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u0026#34; and \u0026#34;\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\u0026#34;\u0026#160;\u003c/span\u003epermissions.\u003cspan\u003e\u0026#160;\u003c/span\u003e\u003c/li\u003e","mitigation":"\u003cli\u003eRemove\u0026nbsp;\u003cspan\u003e\"\u003c/span\u003e\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u003cspan\u003e\" and\u0026nbsp;\"\u003c/span\u003e\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\" for Active Directory domain object.\u003c/span\u003e\u003c/li\u003e","pseudo_logic":"\u003cli\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eFor Active Directory in Forest:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eFor each \u003ccode\u003eDomain User\u003c/code\u003e\u0026#160;or Domain Group that has set the\u0026#160;\u003cspan\u003e\u0026#34;\u003c/span\u003e\u003ccode\u003eReplicating Directory Changes\u003c/code\u003e\u003cspan\u003e\u0026#34; and\u003cb\u003e\u003ci\u003e\u0026#160;\u003c/i\u003e\u003c/b\u003e\u0026#34;\u003c/span\u003e\u003cspan\u003e\u003ccode\u003eReplicating Directory Changes All\u003c/code\u003e\u0026#34;:\u003c/span\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003e\u003cspan\u003eActive\u0026#160;\u003c/span\u003e\u003cfont face=\"SFMono-Medium, SF Mono, Segoe UI Mono, Roboto Mono, Ubuntu Mono, Menlo, Courier, monospace\"\u003eDirectory is\u003c/font\u003e\u0026#160;vulnerable to \u003ccode\u003eDCSYNC\u003c/code\u003e originating from\u003ccode\u003e Domain User or Group.\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1552.002_Windows","attack_name":"Unsecured Credentials: Credentials in Registry\n","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Credentials in Registry","url":"https://attack.mitre.org/techniques/T1552/002/"},"attack_technique":{"name":"Unsecured Credentials","url":"https://attack.mitre.org/techniques/T1552"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new user in Active Directory.\u003c/li\u003e\u003cli\u003eAdd the permission 'Replicating Directory Changes' and 'Replicating Directory Changes All' to the user.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;Copy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cpre class=\"syntaxhighlighter-pre\"\u003e#Get all permissions in the domain, filtered to the two critical replication permissions represented by their GUIDs Import-Module ActiveDirectory cd 'AD:DC=TEST,DC=TEST' $AllReplACLs = (Get-AcL).Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} #Filter this list to RIDs above 1000 which will exclude well-known Administrator groups foreach ($ACL in $AllReplACLs) { $user = New-Object System.Security.Principal.NTAccount($ACL.IdentityReference) $SID = $user.Translate([System.Security.Principal.SecurityIdentifier]) $RID = $SID.ToString().Split(\u0026#34;-\u0026#34;)[7] if([int]$RID -gt 1000) { Write-Host \u0026#34;Permission to Sync AD granted to:\u0026#34; $ACL.IdentityReference } }Run Mimikatz and execute this command Lsadump::dcsync /domain:[YOUR DOMAIN] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT]\u003c/pre\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Windows registry","data_source":"Windows machines","notes":"Plugin ID: 10412","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"NoneFalse PositiveNone"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"future_work":"Complete","graph":{"end_node":"User","start_node":"Reg value"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':10412, 'detection_code':'Microsoft Windows SMB Registry : Autologon Enabled', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.","references":[{"name":"Microsoft Windows SMB Registry : Autologon Enabled","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/10412"}],"release_notes":"","research_status":{"horizon":"2022 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q4","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1552","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1574.010_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"\u003cli\u003eRemove unnecessary permission from users.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each service under the Computer:\u003col\u003e\u003cli\u003e\u003cspan\u003eIf user has write\u0026#160;permission on service:\u003c/span\u003e\u003col\u003e\u003cli\u003e\u003cspan\u003eService is vulnerable to\u0026#160;Services Registry Permissions Weakness.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"},{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1574.010_Windows","attack_name":"Hijack Execution Flow: Services File Permissions Weakness","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Services File Permissions Weakness","url":"https://attack.mitre.org/techniques/T1574/010/"},"attack_technique":{"name":"Hijack Execution Flow","url":"https://attack.mitre.org/techniques/T1574/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a service.\u003c/li\u003e\u003cli\u003eAdd write permission for the user.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;Copy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cpre class=\"syntaxhighlighter-pre\"\u003e# Create new serviceNew-Service -Name \u0026#34;TestService\u0026#34; -BinaryPathName '\u0026#34;C:\\WINDOWS\\System32\\svchost.exe -k netsvcs\u0026#34;'# Create userNew-ADUser -Name \u0026#34;Test1\u0026#34; -GivenName \u0026#34;t1\u0026#34; -Surname \u0026#34;1\u0026#34; -SamAccountName \u0026#34;Test1\u0026#34; -UserPrincipalName \u0026#34;Test2@enterprise.com\u0026#34; -Path \u0026#34;OU\u0026#34; -AccountPassword(Read-Host -AsSecureString \u0026#34;Input Password\u0026#34;) -Enabled $true# Download SUBINACL tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B\u0026amp;displaylang=enSUBINACL /verbose=1 /service TestService /grant=enterprise.com\\Test1=LQSTOP # Get the service propertiesGet-Service -Name \u0026#34;TestService\u0026#34;\u003c/pre\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"DAILY","data_required":"Service bin path ACL (folder ACL)","data_source":"Windows machines","notes":"Plugin ID: 65057","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://jira.eng.tenable.com/browse/RES-106338\" class=\"jira-issue-key\"\u003e RES-106338\u003c/a\u003e - Getting issue details... STATUS"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":""},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"We may alert on for Services Registry Permissions Weakness even when a third party security control deny access to the service (such as host IDS, micro segmentation, etc.)"},"future_work":"","graph":{"end_node":"User","start_node":"Service"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':65057, 'detection_code':'Microsoft Windows SMB Service Config Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.","references":[{"name":"Microsoft Windows SMB Service Config Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/65057"}],"release_notes":"","research_status":{"horizon":"2022 Q3","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://jira.eng.tenable.com/browse/RES-106338\" class=\"jira-issue-key\"\u003e RES-106338\u003c/a\u003e - Getting issue details... STATUS"},"tenable_products_required":[["Tenable Vulnerability Management"],["Tenable Vulnerability Management","Tenable Identity Exposure"]],"tenable_release_date":"2023 Q4","tvdb_export_source":{"file_name":"diff-202406180010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1574","created_at":"2024-06-18T00:21:16","updated_at":"2024-06-18T00:21:16"},"products_required_display":"Tenable Vulnerability Management or (Tenable Vulnerability Management and Tenable Identity Exposure)","products_required_search_filter":"Tenable Vulnerability Management OR Tenable Identity Exposure"},"sort":["2023 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1053.005_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"For every Scheduled Task create rel between the computer nad the scheduled task"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"},{"name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1053.005_Windows","attack_name":"Scheduled Task/Job: Scheduled Task","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Scheduled Task","url":"https://attack.mitre.org/techniques/T1053/005/"},"attack_technique":{"name":"Scheduled Task/Job","url":"https://attack.mitre.org/techniques/T1053"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"HOURLY","data_required":"Scheduled Task","data_source":"Windows machines","notes":"Plugin ID: 70625","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"Scheduled Task","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':70625, 'detection_code':'Microsoft Windows AutoRuns Scheduled Tasks', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.","references":[{"name":"Microsoft Windows AutoRuns Scheduled Tasks","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/70625"}],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1053","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1059.003_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Make a glif if computer has Windows Command Shell policy"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1059.003_Windows","attack_name":"Command and Scripting Interpreter: Windows Command Shell","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Windows Command Shell","url":"https://attack.mitre.org/techniques/T1059/003/"},"attack_technique":{"name":"Command and Scripting Interpreter","url":"https://attack.mitre.org/techniques/T1059"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"HOURLY","data_required":"Windows Command Shell policy","data_source":"Windows machines","notes":"Plugin ID: 164690","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"Computer","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':164690, 'detection_code':'Windows Disabled Command Prompt Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).","references":[{"name":"Windows Disabled Command Prompt Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/164690"}],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1059","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1550.001_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"If we found the service name 'ADSync' and is active then the technique is valid"},"attack_family":[{"name":"Lateral Movement","url":"https://attack.mitre.org/tactics/TA0008"},{"name":"Defense Evasion","url":"https://attack.mitre.org/tactics/TA0005"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1550.001_Windows","attack_name":"Material: Application Access Token","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Material: Application Access Token","url":"https://attack.mitre.org/techniques/T1550/001/"},"attack_technique":{"name":"Use Alternate Authentication Material","url":"https://attack.mitre.org/techniques/T1550/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"HOURLY","data_required":"Services","data_source":"Windows machines","notes":"Plugin ID: 44401","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"Service","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':44401, 'detection_code':'Microsoft Windows SMB Service Config Enumeration', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.","references":[{"name":"Microsoft Windows SMB Service Config Enumeration","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/44401"}],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1550","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1580_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"Every resource is managed by AWS Account","mitigation":"N/A","pseudo_logic":"Every resource is managed by AWS Account"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1580_AWS","attack_name":"Cloud Infrastructure Discovery(AWS)","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"Cloud Infrastructure Discovery","url":"https://attack.mitre.org/techniques/T1580/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"AWS Resources","data_source":"AWS IaaS","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"","graph":{"end_node":"AwsResource","start_node":"AwsAccount"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.","references":[],"release_notes":"","research_status":{"horizon":"","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1580_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1552.005_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"If the plugin valid then we can get a JWT to the role"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1552.005_AWS","attack_name":"Cloud Instance Metadata API","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Cloud Instance Metadata API","url":"https://attack.mitre.org/techniques/T1552/005/"},"attack_technique":{"name":"Unsecured Credentials","url":"https://attack.mitre.org/techniques/T1552"},"attack_testing":"Manual Test:\n\u003cli\u003eCreate a service\u003c/li\u003e\nAutomatic Test:\nCopy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cdiv\u003e\u003cdiv id=\"highlighter_990196\" class=\"syntaxhighlighter sh-confluence nogutter powershell\"\u003e\u003cdiv class=\"toolbar\"\u003e\u003cspan\u003e\u003ca href=\"#\" class=\"toolbar_item command_help help\"\u003e?\u003c/a\u003e\u003c/span\u003e\u003c/div\u003e\u003ctable border=\"0\" cellpadding=\"0\" cellspacing=\"0\"\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd class=\"code\"\u003e\u003cdiv class=\"container\" title=\"Hint: double-click to select code\"\u003e\u003cdiv class=\"line number1 index0 alt2\" data-bidi-marker=\"true\"\u003e\u003ccode class=\"powershell comments\"\u003e# Create new service\u003c/code\u003e\u003c/div\u003e\u003cdiv class=\"line number2 index1 alt1\" data-bidi-marker=\"true\"\u003e\u003ccode class=\"powershell keyword\"\u003eNew-Service\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-Name\u003c/code\u003e \u003ccode class=\"powershell string\"\u003e\"TestService\"\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-BinaryPathName\u003c/code\u003e \u003ccode class=\"powershell string\"\u003e'\"C:\\WINDOWS\\System32\\svchost.exe -k netsvcs\"'\u003c/code\u003e\u003c/div\u003e\u003cdiv class=\"line number3 index2 alt2\" data-bidi-marker=\"true\"\u003e\u003ccode class=\"powershell spaces\"\u003e\u0026nbsp;\u003c/code\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv class=\"line number4 index3 alt1\" data-bidi-marker=\"true\"\u003e\u003ccode class=\"powershell comments\"\u003e# Get the service properties\u003c/code\u003e\u003c/div\u003e\u003cdiv class=\"line number5 index4 alt2\" data-bidi-marker=\"true\"\u003e\u003ccode class=\"powershell keyword\"\u003eGet-Service\u003c/code\u003e \u003ccode class=\"powershell keyword\"\u003e-Name\u003c/code\u003e \u003ccode class=\"powershell string\"\u003e\"TestService\"\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Metadata info","data_source":"EC2","notes":"Plugin ID: 90427","product_dependencies":"Advanced Network Scan","protocol":"API","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"False Positive"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":""},"future_work":"","graph":{"end_node":"AWS Role","start_node":"EC2"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.","references":[{"name":"Amazon Web Services EC2 Instance Metadata Enumeration (Windows)","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/90427"}],"release_notes":"","research_status":{"horizon":"2023 Q3","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1552","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1555.004_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"For every Scheduled Task that have password login create a rel between Scheduled Task and the user"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1555.004_Windows","attack_name":"Credentials from Password Stores: Windows Credential Manager","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Windows Credential Manager","url":"https://attack.mitre.org/techniques/T1555/004/"},"attack_technique":{"name":"Credentials from Password Stores","url":"https://attack.mitre.org/techniques/T1555"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"HOURLY","data_required":"Scheduled Task","data_source":"Windows machines","notes":"Plugin ID: 70625","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"User","start_node":"Scheduled Task"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':70625, 'detection_code':'Microsoft Windows AutoRuns Scheduled Tasks', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).","references":[{"name":"Microsoft Windows AutoRuns Scheduled Tasks","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/70625"}],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1555","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1059.005_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Make a glif if computer has VBA policy enable"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1059.005_Windows","attack_name":"Command and Scripting Interpreter: Visual Basic","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Windows Command Shell","url":"https://attack.mitre.org/techniques/T1059/005/"},"attack_technique":{"name":"Command and Scripting Interpreter","url":"https://attack.mitre.org/techniques/T1059"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"HOURLY","data_required":"VBA policy","data_source":"Windows machines","notes":"Plugin ID: 123461","product_dependencies":"Advanced Network Scan","protocol":"SMB","tenable_product":"Tenable Vulnerability Management"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"APA Engineering","tickets":"N/A (June Release)\u0026nbsp;"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"None"},"future_work":"None","graph":{"end_node":"Computer","start_node":"Computer"},"internal_notes":"[{'provider_code':'NESSUS', 'provider_detection_id':123461, 'detection_code':'Microsoft Office Trust Access to VBA Project Model Object Enabled', 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.","references":[{"name":"Microsoft Office Trust Access to VBA Project Model Object Enabled","type":"hyperlink","url":"https://www.tenable.com/plugins/nessus/123461"}],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Vulnerability Management"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202404241020.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1059","created_at":"2024-04-24T10:21:18","updated_at":"2024-04-24T10:21:18"},"products_required_display":"Tenable Vulnerability Management","products_required_search_filter":"Tenable Vulnerability Management"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1110.004_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"The password has been found in HAVE I BEEN PWNED","evidence":"The password has been found in HAVE I BEEN PWNED","mitigation":"Change the password of the user","pseudo_logic":"For each password that crack via HAVE I BEEN PWNED change the password to crack"},"attack_family":[{"name":"Credential Access","url":"https://attack.mitre.org/tactics/TA0006"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1110.004_Windows","attack_name":"Brute Force: Credential Stuffing (Windows)","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"Credential Stuffing","url":"https://attack.mitre.org/techniques/T1110/004/"},"attack_technique":{"name":"Brute Force","url":"https://attack.mitre.org/techniques/T1110/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eFrom a working Domain (Active Directory) environment:\u003col\u003e\u003cli\u003e\u003cp\u003eCreate a new Domain User with a weak password (e.g. Aa123456).\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;Copy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cpre class=\"syntaxhighlighter-pre\"\u003e# Create User with SPN and password of Aa123456[CmdletBinding()]param ([parameter(Mandatory = $false)][string]$ou = \u0026#34;Kerberoastable\u0026#34;,[parameter(Mandatory = $false)][string]$dummyPass = \u0026#34;Aa123456\u0026#34;,[parameter(Mandatory = $false)][string]$domain = $((Get-ADDomain).DNSRoot),[parameter(Mandatory = $false)][string]$spn = \u0026#34;HTTP\u0026#34;)Import-Module ActiveDirectory New-ADOrganizationalUnit -Name $ou $svc = \u0026#34;Keberoastable\u0026#34;$upn = [string]::Concat($svc.ToLower(), \u0026#34;@\u0026#34;, $((Get-ADDomain).DNSRoot))New-ADUser -Name $svc -DisplayName $svc -UserPrincipalName $upn -SamAccountName $svc `-ServicePrincipalNames \u0026#34;$spn/$svc.$domain\u0026#34; `-description \u0026#34;Kerberoastable svc account\u0026#34; `-Path \u0026#34;OU=$ou,$((Get-ADDomain).DistinguishedName)\u0026#34; `-Enabled $true -ChangePasswordAtLogon $false `-AccountPassword (ConvertTo-SecureString $dummyPass -AsPlainText -Force) -PassThru \u003c/pre\u003e\u003c/div\u003e","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated AD user","collection_frequency":"DAILY","data_required":"Domain User","data_source":"Active Directory","notes":"","product_dependencies":"","protocol":"LDAP/S(389/636)","tenable_product":"Tenable Identity Exposure"},{"access_rights":"Privileged AD user","collection_frequency":"CONFIGUREABLE","data_required":"User Password","data_source":"Active Directory","notes":"Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-BREACHED-PASSWORD","product_dependencies":"Password Sync","protocol":"RPC (135 + high ports)","tenable_product":"Tenable Identity Exposure"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q3","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://jira.eng.tenable.com/browse/AD-8537\" class=\"jira-issue-key\"\u003e AD-8537\u003c/a\u003e - Getting issue details... STATUS \u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4481\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4481\u003c/a\u003e\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4454\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4454\u003c/a\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"Password may be list on another dictionary that we are not testing."},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"fix me"},"future_work":"Consider making AES encryption as a potential mitigation.Improve analysis and guidance with fine grained password policy","graph":{"end_node":"DomainUser","start_node":"CrackPassword"},"internal_notes":"[{'provider_code':'AD', 'provider_detection_id':50, 'detection_code':'C-PASSWORD-HASHES-ANALYSIS', 'reason_id':50004, 'reason_code_name':'R-BREACHED-PASSWORD'}]","introduction":"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.","references":[{"name":"Tenable Identity Exposure DCSync feature","type":"hyperlink","url":"https://docs.tenable.com/tenablead/3_x/Content/Admin/06a-Configuration/privileged-analysis.htm"}],"release_notes":"","research_status":{"horizon":"2022 Q3","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://jira.eng.tenable.com/browse/AD-8537\" class=\"jira-issue-key\"\u003e AD-8537\u003c/a\u003e - Getting issue details... STATUS \u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4481\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4481\u003c/a\u003e\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4454\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4454\u003c/a\u003e"},"tenable_products_required":[["Tenable Identity Exposure"]],"tenable_release_date":"2023 Q3","tvdb_export_source":{"file_name":"diff-202405080820.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1110","created_at":"2024-05-08T08:21:16","updated_at":"2024-05-08T08:21:16"},"products_required_display":"Tenable Identity Exposure","products_required_search_filter":"Tenable Identity Exposure"},"sort":["2023 Q3"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1619_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"The policy allow the action of discover S3 resource in AWS and there are not another policy that deny the policy","mitigation":"","pseudo_logic":"Aws Policy has one or more relationship of PutBucketAcl, PutBucketPolicy, PutObjectAcl, ObjectOwnerOverrideToBucketOwner,ListBucket GetObject to S3"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1619_AWS","attack_name":"Cloud Storage Object Discovery(AWS)","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Cloud Storage Object Discovery","url":"https://attack.mitre.org/techniques/T1619"},"attack_technique":{"name":"Cloud Storage Object Discovery","url":"https://attack.mitre.org/techniques/T1619"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"AWS policies","data_source":"AWS IaaS","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"","notes":"","scenarios":""},"false_positives":{"likelihood":"","notes":"","scenarios":""},"future_work":"","graph":{"end_node":"Cloud Storage","start_node":"Policy"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.","references":[],"release_notes":"","research_status":{"horizon":"","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2023 Q2","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1619_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2023 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1098.001_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"","mitigation":"","pseudo_logic":"Aws Policy has relationship of CreateAccessKey, UpdateAccessKey, ImportKeyPair to User"},"attack_family":[{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1098.001_AWS","attack_name":"Account Manipulation: Additional Cloud Credentials","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Additional Cloud Credentials","url":"https://attack.mitre.org/techniques/T1098/001/"},"attack_technique":{"name":"Account Manipulation","url":"https://attack.mitre.org/techniques/T1098"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"AWS policies","data_source":"AWS IaaS","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Legacy Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"User","start_node":"Policy"},"internal_notes":"","introduction":"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP. This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2023 Q2","tvdb_export_source":{"file_name":"diff-202408060030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1098","created_at":"2024-08-06T00:36:44","updated_at":"2024-08-06T00:36:44"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2023 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1530_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"","evidence":"The S3 bucket contain the files","mitigation":"","pseudo_logic":"The s3 bucket has relationship of CONTAIN to files"},"attack_family":[{"name":"Collection","url":"https://attack.mitre.org/tactics/TA0009"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1530_AWS","attack_name":"Data from Cloud Storage Object (AWS)","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Data from Cloud Storage Object","url":"https://attack.mitre.org/techniques/T1530/"},"attack_technique":{"name":"Data from Cloud Storage Object","url":"https://attack.mitre.org/techniques/T1530/"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of AWS buckets and their files","data_source":"Cloud","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"File","start_node":"S3 bucket"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems","references":[],"release_notes":"","research_status":{"horizon":"","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2023 Q2","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1530_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2023 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1648_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"The policy allow the one or more of the action 'lambda:CreateFunction, lambda:UpdateFunctionCode, lambda:AddPermission, lambda:InvokeFunction' and there are not another policy that deny the policy","mitigation":"","pseudo_logic":"Aws Policy has one relationship of lambda:CreateFunction, lambda:UpdateFunctionCode, lambda:AddPermission, lambda:InvokeFunction to lambda"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1648_AWS","attack_name":"Serverless Execution","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Serverless Execution","url":"https://attack.mitre.org/tactics/TA0002"},"attack_technique":{"name":"Serverless Execution","url":"https://attack.mitre.org/tactics/TA0002"},"attack_testing":"","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"AWS policies","data_source":"AWS IaaS","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"","notes":"","stage":"","team":"","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Lambda","start_node":"Policy"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q2","notes":"","stage":"DONE","team":"Research","tickets":"N/A (June Release)\u0026nbsp;"},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2023 Q2","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1648_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2023 Q2"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1049_Windows","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eResource cloud exposed to the internet.\u0026#160;\u003c/li\u003e","mitigation":"\u003cli\u003eDisable internet connection.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cspan\u003eAWS resource group environment\u003c/span\u003e\u003ccode\u003e:\u003c/code\u003e\u003col\u003e\u003cli\u003eIf the resource group is exposed to the internet:\u0026#160;\u003col\u003e\u003cli\u003e\u003cspan\u003eresource group is vulnerable to System Network Connection Discovery.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1049_Windows","attack_name":"System Network Connections Discovery (Windows)","attack_notes":"","attack_platform":"Windows","attack_subtechnique":{"name":"System Network Connections Discovery","url":"https://attack.mitre.org/techniques/T1049/"},"attack_technique":{"name":"System Network Connections Discovery","url":"https://attack.mitre.org/techniques/T1049/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new database.\u003c/li\u003e\u003cli\u003eSet an internet connection to the database.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Authenticated Scan","collection_frequency":"SCHEDULED","data_required":"Computer Connectivity","data_source":"Windows machines","notes":"Plugin ID: 64582","product_dependencies":"Advanced Network Scan","protocol":"OS Command","tenable_product":"Tenable.io"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2023 Q1","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003cbr\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"CloudResource","start_node":"Internet"},"internal_notes":"","introduction":"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","references":[],"release_notes":"","research_status":{"horizon":"2023 Q1","notes":"","stage":"DONE","team":"Research","tickets":"\u003cbr\u003e"},"tenable_products_required":[["Tenable.io"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202404181802.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1049_Windows","created_at":"2024-04-18T18:06:17","updated_at":"2024-04-18T18:06:17"},"products_required_display":"Tenable.io","products_required_search_filter":"\"Tenable.io\""},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1537_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eAWS buckets has public read\u0026#160;access.\u0026#160;\u003c/li\u003e","mitigation":"\u003cli\u003eSet rules to deny outbound traffic.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cspan\u003eAWS buckets in the environment\u003c/span\u003e\u003ccode\u003e:\u003c/code\u003e\u003col\u003e\u003cli\u003eIf the storage account has public read access:\u0026#160;\u003col\u003e\u003cli\u003e\u003cspan\u003eAWS buckets is vulnerable to Transfer Data to Cloud Account.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Exfiltration","url":"https://attack.mitre.org/tactics/TA0010"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1537_AWS","attack_name":"Transfer Data to Cloud Account","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"Transfer Data to Cloud Account","url":"https://attack.mitre.org/techniques/T1537/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new\u0026#160;AWS buckets in AWS.\u003c/li\u003e\u003cli\u003eChange the AWS buckets to read public.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of Security Group","data_source":"Cloud","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003cbr\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Interenet","start_node":"StorageAccount"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":"\u003cbr\u003e"},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1537_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1133_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eRule that allows connection from the internet to the security group in the administrator port.\u003c/li\u003e","mitigation":"\u003cli\u003eDeny connection from the internet.\u003c/li\u003e","pseudo_logic":"\u003cli\u003e\u003cp\u003eIf the rule allows connection from the internet in port 445|3389|5958 to the security group:\u0026#160;\u003c/p\u003e\u003col\u003e\u003cli\u003eSecurity group is \u003cspan\u003evulnerable to \u0026#34;External Remote Services\u0026#34;.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Initial Access","url":"https://attack.mitre.org/tactics/TA0001"},{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1133_AWS","attack_name":"External Remote Services","attack_notes":"fix me","attack_platform":"Windows","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"External Remote Services","url":"https://attack.mitre.org/techniques/T1133/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a rule that allows connection from the internet to the computer in ports 445|3389|5958.\u0026#160;\u003c/li\u003e\u003cspan\u003eAutomatic Test\u003c/span\u003eCopy and paste the following code in PowerShell:\u003cdiv class=\"codeContent panelContent pdl\"\u003e\u003cdiv\u003e\u003cdiv class=\"syntaxhighlighter sh-confluence nogutter powershell\"\u003e\u003cdiv class=\"toolbar\"\u003e\u003cspan\u003e\u003ca href=\"#\" class=\"toolbar_item command_help help\"\u003e?\u003c/a\u003e\u003c/span\u003e\u003c/div\u003e\u003ctable border=\"0\" cellpadding=\"0\" cellspacing=\"0\"\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd class=\"code\"\u003e\u003cdiv class=\"container\" title=\"Hint: double-click to select code\"\u003e\u003cdiv class=\"line number1 index0 alt2\"\u003e\u003ccode class=\"powershell comments\"\u003e# Create connection from internet\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"HOURLY","data_required":"Security group Connectivity","data_source":"Security group","notes":"","product_dependencies":"","protocol":"API","tenable_product":"Tenable Legacy Cloud Security"}],"data_collection_frequency":"HOURLY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494\u003c/a\u003e"},"false_negatives":{"likelihood":"MEDIUM","notes":"","scenarios":"fix me"},"false_positives":{"likelihood":"MEDIUM","notes":"","scenarios":"We may alert even when a third party security control block the traffic or access (such as host IDS, micro segmentation, etc.)"},"future_work":"fix me","graph":{"end_node":"Security group","start_node":"Internet"},"internal_notes":"","introduction":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as\u0026nbsp;\u003ca rel=\"nofollow\" class=\"external-link\" style=\"text-decoration: none;text-align: left;\" href=\"https://attack.mitre.org/techniques/T1021/006\"\u003eWindows Remote Management\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca rel=\"nofollow\" class=\"external-link\" href=\"https://attack.mitre.org/techniques/T1021/005\" style=\"text-decoration: none;text-align: left;\"\u003eVNC\u003c/a\u003e\u0026nbsp;can also be used externally.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4494\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4494\u003c/a\u003e"},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202408060030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1133_AWS","created_at":"2024-08-06T00:36:44","updated_at":"2024-08-06T00:36:44"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1136.003_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eOne of the policies must be with full permission and attached to some IAM entity.\u003c/li\u003e","mitigation":"\u003cli\u003eLimit the permission of policy with full\u0026nbsp;permission.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cspan\u003eAWS IAM Policy\u003c/span\u003e\u003ccode\u003e:\u003c/code\u003e\u003col\u003e\u003cli\u003eif\u0026#160;the policy is with full\u0026#160; permission and is attached to an IAM entity:\u003col\u003e\u003cli\u003eThe entity is vulnerable to\u0026#160;Additional Cloud Roles.\u0026#160;\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Persistence","url":"https://attack.mitre.org/tactics/TA0003"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1136.003_AWS","attack_name":"Create Account: Cloud Account","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Cloud Account","url":"https://attack.mitre.org/techniques/T1136/003/"},"attack_technique":{"name":"Create Account","url":"https://attack.mitre.org/techniques/T1136/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new\u0026#160;AWS user.\u003c/li\u003e\u003cli\u003eCreate a new Policy with full\u0026#160;permission\u0026#160;\u003cspan\u003e\u0026#34;{\\\u0026#34;Statement\\\u0026#34;:[{\\\u0026#34;Action\\\u0026#34;:\\\u0026#34;*\\\u0026#34;,\\\u0026#34;Effect\\\u0026#34;:\\\u0026#34;Allow\\\u0026#34;,\\\u0026#34;Resource\\\u0026#34;:\\\u0026#34;*\\\u0026#34;}],\\\u0026#34;Version\\\u0026#34;:\\\u0026#34;2012-10-17\\\u0026#34;}\u0026#34;.\u003c/span\u003e\u003c/li\u003e\u003cli\u003eAttach the policy to the user.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of IAM Policy","data_source":"Cloud","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable.cs"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"AWS Entity","start_node":"IAM Entity"},"internal_notes":"","introduction":"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable.cs"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202404181802.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1136","created_at":"2024-04-18T18:06:17","updated_at":"2024-04-18T18:06:17"},"products_required_display":"Tenable.cs","products_required_search_filter":"\"Tenable.cs\""},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1204_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003e\u003cspan\u003eHard coded scripts used in Base64 encode.\u003c/span\u003e\u003c/li\u003e","mitigation":"\u003cli\u003eDelete the hardcoded script.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cspan\u003eLaunch Configuration\u003c/span\u003e\u003cspan\u003e\u0026#160;environment\u003c/span\u003e\u003ccode\u003e:\u003c/code\u003e\u003col\u003e\u003cli\u003eIf there are\u0026#160;\u003cspan\u003ehard-coded scripts in \u003c/span\u003e\u003cspan\u003eLaunch\u0026#160;\u003c/span\u003e\u003cfont color=\"#000000\"\u003eConfiguration:\u003c/font\u003e\u0026#160;\u003col\u003e\u003cli\u003e\u003cspan\u003e\u003cspan\u003eLaunch Configuration\u003c/span\u003e is vulnerable to User Execution.\u003cbr\u003e\u0026#160;\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Execution","url":"https://attack.mitre.org/tactics/TA0002"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1204_AWS","attack_name":"User Execution","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"","url":""},"attack_technique":{"name":"User Execution","url":"https://attack.mitre.org/techniques/T1204/"},"attack_testing":"Manual Test:\n\u003cli\u003eCreate a new \u003cspan style=\"color: rgb(0,0,0);\"\u003elaunch_configuration\u003c/span\u003e\u003c/li\u003e\u003cli\u003ecreate hardcoded script in the \u003cspan style=\"color: rgb(0,0,0);\"\u003elaunch_configuration\u003c/span\u003e\u003c/li\u003e\nAutomatic Test:\nfix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of Launch Configuration","data_source":"Cloud","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable.cs"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003cbr\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"Launch Configuration","start_node":"Launch Configuration"},"internal_notes":"","introduction":"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of\u0026nbsp;Phishing.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":"\u003cbr\u003e"},"tenable_products_required":[["Tenable.cs"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202404181802.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1204_AWS","created_at":"2024-04-18T18:06:17","updated_at":"2024-04-18T18:06:17"},"products_required_display":"Tenable.cs","products_required_search_filter":"\"Tenable.cs\""},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1528_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eEnvironment variables in the AWS\u0026#160;lambda must contain a Token or Access Key.\u003c/li\u003e","mitigation":"\u003cli\u003eDelete the environment\u0026nbsp;variable that contains the token or the key.\u003c/li\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cspan\u003eAWS\u0026#160;lambda in the environment\u003c/span\u003e\u003ccode\u003e:\u003c/code\u003e\u003col\u003e\u003cli\u003eIf the lambda has an environment variable:\u003col\u003e\u003cli\u003eIf the environment variable contains a key or token:\u0026#160;\u003col\u003e\u003cli\u003e\u003cspan\u003eAWS\u0026#160;lambda is vulnerable to\u0026#160;Steal Application Access Token.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Collection","url":"https://attack.mitre.org/tactics/TA0009"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1528_AWS","attack_name":"Steal Application Access Token (AWS)","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Steal Application Access Token","url":"https://attack.mitre.org/techniques/T1528/"},"attack_technique":{"name":"Steal Application Access Token","url":"https://attack.mitre.org/techniques/T1528/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new\u0026#160;AWS\u0026#160;\u003cspan\u003elambda\u003c/span\u003e in AWS.\u003c/li\u003e\u003cli\u003eSet environment variables that contain tokens in the AWS\u0026#160;\u003cspan\u003elambda function.\u0026#160;\u003c/span\u003e\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of AWS lambda","data_source":"Cloud","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":""},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"AwsEnvironmentVariable","start_node":"CloudResource"},"internal_notes":"[{'provider_code':'CS', 'provider_detection_id':None, 'detection_code':None, 'reason_id':None, 'reason_code_name':None}]","introduction":"Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":""},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202405270010.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1528_AWS","created_at":"2024-05-27T00:21:17","updated_at":"2024-05-27T00:21:17"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2022 Q4"]},{"_index":"1675877780426_attack_path_technique","_type":"_doc","_id":"T1069.003_AWS","_score":null,"_source":{"analysis_formula":{"conditions":"\u003cli\u003eUser is a member of a Cloud Group.\u003c/li\u003e","mitigation":"\u003cspan\u003eThis type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n\n\u003c/span\u003e","pseudo_logic":"\u003cli\u003eFor each \u003cfont face=\"SFMono-Medium, SF Mono, Segoe UI Mono, Roboto Mono, Ubuntu Mono, Menlo, Courier, monospace\"\u003eIAM Group (AWS)\u003c/font\u003ein \u003ccode\u003eGraphDb:\u003c/code\u003e\u003col\u003e\u003cli\u003eFor each IAM user in the IAM Group (recursively):\u0026#160;\u003col\u003e\u003cli\u003e\u003ccode\u003eIAM\u0026#160;\u003c/code\u003e\u003cspan\u003eGroup is vulnerable to\u0026#160;Cloud Groups technique by\u0026#160;\u003ccode\u003eCloud Group.\u003c/code\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e"},"attack_family":[{"name":"Discovery","url":"https://attack.mitre.org/tactics/TA0007"}],"attack_framework":"MITRE ATT\u0026CK","attack_id":"T1069.003_AWS","attack_name":"Permission Groups Discovery: Cloud Groups (AWS)","attack_notes":"","attack_platform":"AWS","attack_subtechnique":{"name":"Cloud Groups","url":"https://attack.mitre.org/techniques/T1069/003/"},"attack_technique":{"name":"Permission Groups Discovery","url":"https://attack.mitre.org/techniques/T1069/"},"attack_testing":"Manual Test:\u0026#10;\u003cli\u003eCreate a new group in AWS.\u003c/li\u003e\u003cli\u003eCreate a new user in the AWS.\u003c/li\u003e\u003cli\u003eAdd the user to the group.\u003c/li\u003e\u0026#10;Automatic Test:\u0026#10;fix me","attack_version":"1.0","collection_mechanism":[{"access_rights":"Read-only","collection_frequency":"DAILY","data_required":"List of Cloud Users, Groups and Memberships","data_source":"AWS","notes":"","product_dependencies":"","protocol":"HTTPS","tenable_product":"Tenable Legacy Cloud Security"}],"data_collection_frequency":"DAILY","dev_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"APA Engineering","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4130?atlOrigin=eyJpIjoiODJkZDU5MTdkNTkzNDA2NGIyZWViYjA4YzllODhhNDQiLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4130?atlOrigin=eyJpIjoiODJkZDU5MTdkNTkzNDA2NGIyZWViYjA4YzllODhhNDQiLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"false_negatives":{"likelihood":"LOW","notes":"","scenarios":"None"},"false_positives":{"likelihood":"LOW","notes":"","scenarios":"None"},"future_work":"","graph":{"end_node":"CloudGroup","start_node":"CloudUser"},"internal_notes":"","introduction":"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.With authenticated access there are several tools that can be used to find permissions groups. The\u0026nbsp;Get-MsolRole\u0026nbsp;PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command\u0026nbsp;az ad user get-member-groups\u0026nbsp;will list groups associated to a user account for Azure while the API endpoint\u0026nbsp;GET \u003ca rel=\"nofollow\" class=\"external-link\" href=\"https://cloudidentity.googleapis.com/v1/groups\"\u003ehttps://cloudidentity.googleapis.com/v1/groups\u003c/a\u003e\u0026nbsp;lists group resources available to a user for Google.Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS\u0026nbsp;GetBucketAcl\u0026nbsp;API. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.","references":[],"release_notes":"","research_status":{"horizon":"2022 Q4","notes":"","stage":"DONE","team":"Research","tickets":"\u003ca href=\"https://cymptomltd.atlassian.net/browse/CYMN-4130?atlOrigin=eyJpIjoiODJkZDU5MTdkNTkzNDA2NGIyZWViYjA4YzllODhhNDQiLCJwIjoiamlyYS1zbGFjay1pbnQifQ\" class=\"external-link\" rel=\"nofollow\"\u003ehttps://cymptomltd.atlassian.net/browse/CYMN-4130?atlOrigin=eyJpIjoiODJkZDU5MTdkNTkzNDA2NGIyZWViYjA4YzllODhhNDQiLCJwIjoiamlyYS1zbGFjay1pbnQifQ\u003c/a\u003e"},"tenable_products_required":[["Tenable Cloud Security"]],"tenable_release_date":"2022 Q4","tvdb_export_source":{"file_name":"diff-202408060030.tar.gz","file_path":"exports/tenable_attack_path/v1","data_file_name":"T1069","created_at":"2024-08-06T00:36:44","updated_at":"2024-08-06T00:36:44"},"products_required_display":"Tenable Cloud Security","products_required_search_filter":"Tenable Cloud Security"},"sort":["2022 Q4"]}],"total":131,"page":1},"cookies":{},"user":null,"flash":null,"env":{"baseUrl":"https://www.tenable.com","host":"www.tenable.com","ga4TrackingId":""},"isUnsupportedBrowser":true,"__N_SSP":true},"page":"/attack-path-techniques","query":{},"buildId":"fGlHUlsrtZ1JnQfd6DHsd","isFallback":false,"isExperimentalCompile":false,"gssp":true,"appGip":true,"locale":"en","locales":["en","de","es","fr","ja","ko","zh-CN","zh-TW"],"defaultLocale":"en","domainLocales":[{"domain":"www.tenable.com","defaultLocale":"en"},{"domain":"de.tenable.com","defaultLocale":"de"},{"domain":"es-la.tenable.com","defaultLocale":"es"},{"domain":"fr.tenable.com","defaultLocale":"fr"},{"domain":"jp.tenable.com","defaultLocale":"ja"},{"domain":"kr.tenable.com","defaultLocale":"ko"},{"domain":"www.tenablecloud.cn","defaultLocale":"zh-CN"},{"domain":"zh-tw.tenable.com","defaultLocale":"zh-TW"}],"scriptLoader":[]}</script></body></html>

CINXE.COM

Attack Path Techniques | Tenable®