# Attack Index Quick reference to attack techniques organized by MITRE ATT\&CK tactics and common vulnerability types. ## By MITRE ATT\&CK Tactic ### Initial Access (TA0001) | Technique | Description | Related Section | | ------------------------- | ------------------------------------ | --------------------------------------------------- | | Phishing | Spearphishing, credential harvesting | [Social Engineering](/others/social-engineering.md) | | Drive-by Compromise | Exploit via malicious website | [XSS](/enumeration/web/xss.md) | | Exploit Public-Facing App | Web app vulnerabilities | [Web Attacks](/enumeration/web.md) | | External Remote Services | VPN, RDP exploitation | [Ports](/enumeration/ports.md) | | Valid Accounts | Credential reuse, default creds | [Bruteforcing](/enumeration/web/bruteforcing.md) | | Supply Chain Compromise | Package/dependency attacks | [Supply Chain](/enumeration/web/supply-chain.md) | ### Execution (TA0002) | Technique | Description | Related Section | | --------------------------------- | ---------------------------- | ---------------------------------------------------------- | | Command Injection | OS command execution | [Command Injection](/enumeration/web/command-injection.md) | | Scripting | PowerShell, Python, Bash | [Reverse Shells](/exploitation/reverse-shells.md) | | Exploitation for Client Execution | Browser/doc exploits | [Buffer Overflow](/exploitation/buffer-overflow.md) | | User Execution | Social engineering execution | [Social Engineering](/others/social-engineering.md) | ### Persistence (TA0003) | Technique | Description | Related Section | | -------------------- | -------------------------- | ---------------------------------------------------------- | | Account Manipulation | Modify accounts/groups | [AD Attacks](/post-exploitation/windows/ad.md) | | Boot/Logon Autostart | Registry run keys, startup | [Windows Post-Exploitation](/post-exploitation/windows.md) | | Scheduled Task/Job | Cron, Task Scheduler | [Windows Post-Exploitation](/post-exploitation/windows.md) | | Web Shell | Persistent web backdoor | [Webshells](/enumeration/web/web-shells.md) | | Create Account | Add backdoor accounts | [Linux Post-Exploitation](/post-exploitation/linux.md) | ### Privilege Escalation (TA0004) | Technique | Description | Related Section | | ------------------------------------- | --------------------------- | ------------------------------------------------------------- | | Exploitation for Privilege Escalation | Kernel/service exploits | [Privilege Escalation](/exploitation/privilege-escalation.md) | | Access Token Manipulation | Token impersonation | [Windows Post-Exploitation](/post-exploitation/windows.md) | | Sudo/SUID Abuse | Linux permission abuse | [Linux Post-Exploitation](/post-exploitation/linux.md) | | DLL Hijacking | Malicious DLL loading | [Windows Post-Exploitation](/post-exploitation/windows.md) | | Bypass UAC | User Account Control bypass | [Windows Post-Exploitation](/post-exploitation/windows.md) | ### Defense Evasion (TA0005) | Technique | Description | Related Section | | ---------------------------- | -------------------- | ------------------------------------- | | Obfuscated Files/Information | Encoding, encryption | [RT/EDR Evasion](/others/rt-edr.md) | | Process Injection | Code injection | [RT/EDR Evasion](/others/rt-edr.md) | | Indicator Removal | Log clearing | [Purple Team](/others/purple-team.md) | | AMSI Bypass | Antimalware bypass | [RT/EDR Evasion](/others/rt-edr.md) | | Timestomping | Modify file times | [Purple Team](/others/purple-team.md) | ### Credential Access (TA0006) | Technique | Description | Related Section | | -------------------------------- | -------------------------- | --------------------------------------------------------------------- | | OS Credential Dumping | Mimikatz, LSASS | [Windows Post-Exploitation](/post-exploitation/windows.md) | | Credentials from Password Stores | Browser, Keychain | [Linux Post-Exploitation](/post-exploitation/linux.md) | | Kerberoasting | SPN ticket cracking | [Kerberos Attacks](/post-exploitation/windows/ad/kerberos-attacks.md) | | AS-REP Roasting | Pre-auth disabled accounts | [Kerberos Attacks](/post-exploitation/windows/ad/kerberos-attacks.md) | | Brute Force | Password guessing | [Bruteforcing](/enumeration/web/bruteforcing.md) | ### Discovery (TA0007) | Technique | Description | Related Section | | ---------------------------- | ---------------------- | ---------------------------------------------- | | Network Service Scanning | Port/service discovery | [Network Scanning](/recon/network-scanning.md) | | Remote System Discovery | AD enumeration | [AD Attacks](/post-exploitation/windows/ad.md) | | File and Directory Discovery | Sensitive file search | [Files](/enumeration/files.md) | | Cloud Service Discovery | AWS/Azure/GCP enum | [Cloud](/enumeration/cloud.md) | ### Lateral Movement (TA0008) | Technique | Description | Related Section | | ---------------------- | --------------------- | --------------------------------------------------------------------- | | Remote Services | SSH, RDP, WinRM | [Pivoting](/post-exploitation/pivoting.md) | | Pass the Hash | NTLM hash reuse | [AD Attacks](/post-exploitation/windows/ad.md) | | Pass the Ticket | Kerberos ticket reuse | [Kerberos Attacks](/post-exploitation/windows/ad/kerberos-attacks.md) | | Internal Spearphishing | Lateral phishing | [Social Engineering](/others/social-engineering.md) | ### Collection (TA0009) | Technique | Description | Related Section | | ---------------------------------- | ---------------------- | ------------------------------------------------ | | Data from Information Repositories | SharePoint, Confluence | [Enumeration](/enumeration/web.md) | | Archive Collected Data | Compression, staging | [File Transfer](/exploitation/file-transfer.md) | | Screen Capture | Screenshot collection | [Post-Exploitation](/post-exploitation/linux.md) | ### Exfiltration (TA0010) | Technique | Description | Related Section | | -------------------------------------- | ------------- | ----------------------------------------------- | | Exfiltration Over Web Service | Cloud storage | [File Transfer](/exploitation/file-transfer.md) | | Exfiltration Over DNS | DNS tunneling | [Wireless Testing](/others/wireless.md) | | Exfiltration Over Alternative Protocol | ICMP, custom | [Pivoting](/post-exploitation/pivoting.md) | *** ## By Vulnerability Type ### Injection Attacks | Attack | Description | Section | | ----------------- | --------------------------- | ---------------------------------------------------------- | | SQL Injection | Database query manipulation | [SQLi](/enumeration/web/sqli.md) | | Command Injection | OS command execution | [Command Injection](/enumeration/web/command-injection.md) | | LDAP Injection | LDAP query manipulation | [AD Attacks](/post-exploitation/windows/ad.md) | | XPath Injection | XML query manipulation | [XXE](/enumeration/web/xxe.md) | | SSTI | Template engine injection | [SSTI](/enumeration/web/ssti.md) | | NoSQL Injection | MongoDB/CouchDB injection | [NoSQL](/enumeration/webservices/nosql-and-and-mongodb.md) | | Header Injection | HTTP header manipulation | [Header Injections](/enumeration/web/header-injections.md) | | CRLF Injection | Response splitting | [CRLF](/enumeration/web/crlf.md) | ### Cross-Site Attacks | Attack | Description | Section | | --------------------- | ----------------------------- | ------------------------------------------------ | | XSS (Reflected) | Script injection via URL | [XSS](/enumeration/web/xss.md) | | XSS (Stored) | Persistent script injection | [XSS](/enumeration/web/xss.md) | | XSS (DOM) | Client-side DOM manipulation | [XSS](/enumeration/web/xss.md) | | CSRF | Cross-site request forgery | [CSRF](/enumeration/web/csrf.md) | | CORS Misconfiguration | Cross-origin resource sharing | [CORS](/enumeration/web/cors.md) | | Clickjacking | UI redressing | [Clickjacking](/enumeration/web/clickjacking.md) | ### Authentication/Authorization | Attack | Description | Section | | ------------------- | -------------------------------- | -------------------------------------------------------- | | Brute Force | Password guessing | [Bruteforcing](/enumeration/web/bruteforcing.md) | | Credential Stuffing | Reused credential attacks | [Bruteforcing](/enumeration/web/bruteforcing.md) | | Session Fixation | Session ID manipulation | [Session Fixation](/enumeration/web/session-fixation.md) | | IDOR | Insecure direct object reference | [IDOR](/enumeration/web/idor.md) | | JWT Attacks | Token manipulation | [JWT](/enumeration/webservices/jwt.md) | | OAuth Flaws | OAuth flow manipulation | [OAuth](/enumeration/webservices/oauth.md) | | MFA Bypass | Multi-factor bypass | [MFA](/enumeration/webservices/mfa.md) | ### Server-Side Attacks | Attack | Description | Section | | ----------------- | --------------------------- | ---------------------------------------------------------- | | SSRF | Server-side request forgery | [SSRF](/enumeration/web/ssrf.md) | | XXE | XML external entity | [XXE](/enumeration/web/xxe.md) | | LFI/RFI | Local/Remote file inclusion | [LFI/RFI](/enumeration/web/lfi-rfi.md) | | File Upload | Malicious file upload | [File Upload](/enumeration/web/upload-bypasses.md) | | Deserialization | Insecure deserialization | [Deserialization](/enumeration/web/deserialization.md) | | Request Smuggling | HTTP desync attacks | [Request Smuggling](/enumeration/web/request-smuggling.md) | ### Cache/Proxy Attacks | Attack | Description | Section | | ------------------- | -------------------- | ---------------------------------------------------------- | | Web Cache Poisoning | Cache manipulation | [Cache Poisoning](/enumeration/web/web-cache-poisoning.md) | | Web Cache Deception | Cache rule abuse | [Cache Deception](/enumeration/web/web-cache-deception.md) | | DNS Rebinding | DNS TTL manipulation | [DNS Rebinding](/enumeration/web/dns-rebinding.md) | ### API Attacks | Attack | Description | Section | | ----------------- | --------------------------------- | ------------------------------------------------ | | BOLA | Broken object-level authorization | [API Security](/enumeration/web/api-security.md) | | Mass Assignment | Unexpected parameter binding | [API Security](/enumeration/web/api-security.md) | | GraphQL Attacks | Introspection, batching abuse | [API Security](/enumeration/web/api-security.md) | | Rate Limit Bypass | Throttling circumvention | [API Security](/enumeration/web/api-security.md) | ### Active Directory Attacks | Attack | Description | Section | | --------------- | ---------------------------- | ------------------------------------------------------------- | | Kerberoasting | SPN ticket cracking | [Kerberos](/post-exploitation/windows/ad/kerberos-attacks.md) | | AS-REP Roasting | Pre-auth disabled abuse | [Kerberos](/post-exploitation/windows/ad/kerberos-attacks.md) | | Golden Ticket | Forged TGT | [Kerberos](/post-exploitation/windows/ad/kerberos-attacks.md) | | Silver Ticket | Forged service ticket | [Kerberos](/post-exploitation/windows/ad/kerberos-attacks.md) | | DCSync | Replicate DC credentials | [AD](/post-exploitation/windows/ad.md) | | Pass the Hash | NTLM relay | [AD](/post-exploitation/windows/ad.md) | | Pass the Ticket | Kerberos ticket reuse | [Kerberos](/post-exploitation/windows/ad/kerberos-attacks.md) | | AD CS Abuse | Certificate services attacks | [AD](/post-exploitation/windows/ad.md) | ### Cloud Attacks | Attack | Description | Section | | -------------------------- | ------------------------ | ------------------------------------------------------------- | | Metadata Service Abuse | IMDS exploitation | [AWS](/enumeration/cloud/aws.md) | | S3 Bucket Misconfiguration | Public bucket access | [AWS](/enumeration/cloud/aws.md) | | IAM Privilege Escalation | Permission escalation | [GCP](/enumeration/cloud/gcp.md) | | Managed Identity Abuse | Token theft | [Azure](/enumeration/cloud/azure.md) | | Container Escape | Breakout from containers | [Docker/K8s](/enumeration/cloud/docker-and-and-kubernetes.md) | | Serverless Exploitation | Lambda/Functions abuse | [Serverless](/enumeration/cloud/serverless.md) | ### Wireless Attacks | Attack | Description | Section | | ----------------- | ----------------------- | ------------------------------- | | WPA2 Cracking | Handshake/PMKID attacks | [Wireless](/others/wireless.md) | | Evil Twin | Rogue access point | [Wireless](/others/wireless.md) | | Bluetooth Attacks | BLE exploitation | [Wireless](/others/wireless.md) | | RFID Cloning | Badge duplication | [Hardware](/others/hardware.md) | ### Physical/Social Engineering | Attack | Description | Section | | ------------- | --------------------- | --------------------------------------------------- | | Phishing | Credential harvesting | [Social Engineering](/others/social-engineering.md) | | Vishing | Voice phishing | [Social Engineering](/others/social-engineering.md) | | USB Drops | Malicious USB devices | [Hardware](/others/hardware.md) | | Tailgating | Physical access | [Social Engineering](/others/social-engineering.md) | | Badge Cloning | RFID/NFC cloning | [Hardware](/others/hardware.md) | *** ## By CWE (Common Weakness Enumeration) | CWE ID | Name | Section | | ------- | -------------------------- | ---------------------------------------------------------- | | CWE-78 | OS Command Injection | [Command Injection](/enumeration/web/command-injection.md) | | CWE-79 | Cross-site Scripting (XSS) | [XSS](/enumeration/web/xss.md) | | CWE-89 | SQL Injection | [SQLi](/enumeration/web/sqli.md) | | CWE-94 | Code Injection | [SSTI](/enumeration/web/ssti.md) | | CWE-98 | PHP File Inclusion | [LFI/RFI](/enumeration/web/lfi-rfi.md) | | CWE-120 | Buffer Overflow | [Buffer Overflow](/exploitation/buffer-overflow.md) | | CWE-200 | Information Exposure | [Recon](/recon/public-info-gathering.md) | | CWE-287 | Authentication Issues | [Bruteforcing](/enumeration/web/bruteforcing.md) | | CWE-352 | Cross-Site Request Forgery | [CSRF](/enumeration/web/csrf.md) | | CWE-434 | Unrestricted Upload | [File Upload](/enumeration/web/upload-bypasses.md) | | CWE-502 | Deserialization | [Deserialization](/enumeration/web/deserialization.md) | | CWE-611 | XXE | [XXE](/enumeration/web/xxe.md) | | CWE-639 | IDOR | [IDOR](/enumeration/web/idor.md) | | CWE-918 | SSRF | [SSRF](/enumeration/web/ssrf.md) | *** ## Quick Reference: Attack → Defense Mapping | Attack | Detection | Prevention | | ------------------- | --------------------------------- | --------------------------------------- | | SQLi | WAF rules, query logging | Parameterized queries, input validation | | XSS | CSP violations, WAF | Output encoding, CSP, sanitization | | Command Injection | Process monitoring, syscall audit | Input validation, avoid shell | | SSRF | Outbound request monitoring | Allowlisting, network segmentation | | LFI/RFI | File access logging | Input validation, chroot | | Credential Stuffing | Failed login monitoring | MFA, rate limiting, CAPTCHA | | Kerberoasting | Event ID 4769 monitoring | Strong service account passwords | | Pass the Hash | NTLM relay detection | Credential Guard, SMB signing | | Container Escape | Syscall monitoring (seccomp) | Rootless containers, gVisor | *** ## Resources * [MITRE ATT\&CK](https://attack.mitre.org/) * [OWASP Top 10](https://owasp.org/www-project-top-ten/) * [CWE Top 25](https://cwe.mitre.org/top25/) * [HackTricks](https://book.hacktricks.xyz/) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/others/attack-index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.