Scenario library
302 hands-on incident-response scenarios across 11 systems, from Active Directory and Entra to AWS, Azure, GCP, Okta, and Snowflake. Drafted from live threat intelligence, published after expert review. The free set rotates monthly.
302 of 302
A service account with replication rights is being abused to dump all domain hashes via DCSync. The attack branches: one path leads to Golden Ticket forgery, another to immediate l
A Global Admin is hit with an MFA push bombing attack. Two branches emerge: the attacker either establishes OAuth app persistence OR pivots to PIM bypass — your containment decisio
A Domain Admin account is used to disable Defender via GPO and stage ransomware in SYSVOL. The timeline splits based on how quickly the SOC detects the GPO change — early detection
Low-and-slow password spray attack targeting Entra ID accounts, followed by Conditional Access policy bypass using a legacy authentication protocol. 12 accounts successfully compro
Attacker with low-privilege domain user credentials exploited a misconfigured certificate template (ESC1) in Active Directory Certificate Services to enroll a certificate for any d
An attacker with standard domain user credentials is performing a large-scale Kerberoasting attack, requesting TGS tickets for every SPN in the domain. Several weak service account
An attacker on the internal network used Responder and NTLMRelayx to coerce NTLM authentication from a Domain Controller machine account, then relayed it to LDAP to escalate privil
A threat actor compromised a partner organization's Entra ID user and exploited overly permissive B2B cross-tenant access settings to access your tenant's SharePoint Online and Tea
An attacker who compromised a Global Admin used a PIM eligibility loophole to permanently assign Global Admin to a newly created account, bypassing the just-in-time activation requ
Attackers sent targeted phishing emails containing a Microsoft device code authentication flow to employees. Three victims completed the device code flow, granting the attacker lon
A threat actor with a compromised Global Admin account removed corporate devices from Intune MDM management, stripping compliance policies, endpoint protection, and device configur
A threat actor used Microsoft Teams External Access (federation) to send malicious messages and files to internal employees from a lookalike external tenant. After one employee acc
A targeted phishing attack compromised the CFO's Exchange Online mailbox. The attacker created hidden inbox rules to silently forward all emails containing financial keywords to an
A ransomware group launches a Stryker-style dual extortion attack against a healthcare environment. Initial access via compromised VPN credentials is followed by Active Directory p
Friday 7:10 AM. Users across multiple regions report failed logins, device instability, and inability to access M365, VPN, and line-of-business applications. Privileged account sig
09:00 AM. Authentication has been down for 90 minutes. Executives are demanding service restoration. The infrastructure team reports a potentially clean standby AD environment. App
10:15 AM. Core identity services are restored for a subset of users. But several critical applications still fail. LDAP binds are broken. Kerberos is inconsistent. Certificate-depe
Attacker on Kali (192.168.56.100) enumerates SPNs in sevenkingdoms.local and captures 38 RC4 TGS hashes in 12 seconds. Suricata fires an ET KERBEROS anomaly. Path A: immediate pass
A domain admin credential (jon.snow@north.sevenkingdoms.local) cracked via Kerberoasting is used to run DCSync against DC01 (192.168.56.10). Suricata captures 45 seconds of DRSUAPI
robb.stark@sevenkingdoms.local (cracked DA) modifies Default Domain Policy at 3AM to disable Windows Defender and stages ransomware in SYSVOL. Suricata detects the SYSVOL file writ
Kali (192.168.56.100) runs Responder to poison LLMNR/NBT-NS on the subnet, then NTLMRelayx relays DC01 machine account NTLM auth to DC01 LDAP. The relay configures RBCD on DC01$, t
Several domain accounts have DONT_REQ_PREAUTH set — an intentional misconfiguration. An attacker performs AS-REP Roasting from Kali without any credentials, capturing 14 encrypted
An attacker with a foothold on SRV02 (192.168.56.22) runs Mimikatz sekurlsa::logonpasswords to dump NTLM hashes from LSASS. The dump exposes DA NTLM hash (robb.stark) cached from a
An attacker with hodor@north.sevenkingdoms.local runs SharpHound against the domain. BloodHound reveals: hodor has GenericWrite on Night Watch group, Night Watch has WriteDACL on D
After a full domain compromise (DCSync + Golden Ticket + AdminSDHolder persistence), the domain needs structured recovery. DC01 has confirmed KRBTGT hash exposure. DC02 has a suspe
A public-facing EC2 web application vulnerable to SSRF was abused to query the Instance Metadata Service (IMDSv1) and steal the EC2 instance role's temporary credentials. The attac
A user with Contributor on a resource group used 'az vm run-command' to execute on a VM whose system-assigned Managed Identity held User Access Administrator at the subscription sc
A service-account key leaked in a public Git repository let an attacker authenticate as a low-privilege service account. That SA held iam.serviceAccounts.getAccessToken on a more-p
A vendor-integration role in the production AWS account trusts a third-party account but has no ExternalId condition. An attacker who controls a different account and knows the rol
A compromised credential with S3 write access is used to ransom a data-lake bucket: the attacker reads objects, re-uploads them client-side-encrypted, deletes the originals, and dr
A storage account key leaks in an application config and is used from outside the tenant to bulk-download blobs from a container holding customer data. Account keys grant full acce
A consent-phishing link gets a privileged user to grant a malicious multi-tenant app broad permissions. The app's service principal then has a client secret added for app-only pers
An attacker who lands code execution in a GKE pod (via an app SSRF/RCE) queries the node metadata server and retrieves the node's service-account access token. The node runs the br
A compromised service account with broad BigQuery access runs large query and extract jobs against a customer dataset, then exports tables to an external GCS bucket and copies a da
A nation-state actor (APT29 / Midnight Blizzard) password-sprayed a legacy, non-production test account that lacked MFA, then created a malicious OAuth application and granted it t
Long-lived AWS access keys (AKIA...) for an over-privileged IAM user were committed to a code repository and discovered by automated secret-scanning bots. The attacker authenticate
A service-account JSON key with the broad Editor role leaked from a misconfigured public bucket. The attacker authenticated, then spun up dozens of high-CPU/GPU Compute Engine VMs
While troubleshooting, your Okta admin uploaded a browser HAR file to Okta support. That HAR contained a live admin session token. Okta's support case-management system was breache
A threat actor used valid Snowflake login credentials — harvested by infostealer malware from a contractor's machine months earlier and never rotated — to log into a Snowflake cust
An authenticated attacker exploits CVE-2023-21529, a deserialization flaw in on-prem Microsoft Exchange, to gain remote code execution on EXCH01. They drop a web shell in an Exchan
An unauthenticated attacker exploits CVE-2026-1340, a code-injection flaw in the internet-facing Ivanti EPMM (mobile device management) server, to gain remote code execution. From
An attacker calls the help desk impersonating an administrator, gets an MFA factor reset, and enrolls their own device. With Super Administrator rights they assign themselves to se
A user is socially engineered into authorizing a malicious connected app in the company's CRM, granting it broad API access via an OAuth refresh token. The attacker uses the token
An attacker who reaches administrative access in the AWS Organization management account uses IAM Identity Center to grant itself durable, cross-account admin. It creates or edits
An attacker with Lambda management permissions reads function configuration to harvest secrets that teams commonly store in environment variables: database credentials, API keys, a
An attacker with an IAM principal that can call ssm:SendCommand uses AWS Systems Manager Run Command to execute commands as root or SYSTEM on every EC2 instance running the SSM age
An attacker who lands code execution in an Amazon EKS pod reaches the EC2 Instance Metadata Service on the worker node and steals the node IAM role credentials, abusing a weak IMDS
An attacker reaches the AWS Organizations management account and goes after the org-wide guardrails. They detach or weaken a Service Control Policy, then stand up a new member acco
An attacker with rights over an Azure Automation Account imports a runbook that authenticates as the account's system-assigned managed identity. That identity holds Owner on the su
An attacker holding rights over a Key Vault's authorization model rewrites it to grant themselves Get and List on secrets, keys, and certificates, then bulk-reads the vault. A Key
The Entra Connect (formerly Azure AD Connect) server bridges on-prem Active Directory and Entra ID, and it runs with the most dangerous account pair in a hybrid estate: an on-prem
An attacker initiates a device code authentication flow against Entra ID and phishes a target into entering the attacker-generated code at the legitimate Microsoft device-login pag
An attacker who holds a privileged Entra role, or who has phished a Global or Application Administrator, adds a new client secret to an existing, highly privileged application regi
A workload identity pool provider is configured with an overly broad attribute condition that trusts any external token from a given issuer instead of a specific repository or acco
An identity with deploy rights uses run.services.create to deploy a malicious Cloud Run service and attaches a privileged runtime service account. The workload then runs continuous
An attacker holding a principal with resourcemanager.projects.setIamPolicy modifies the project IAM policy to grant a controlled principal roles/owner, then creates a downloadable
An attacker with access to a GCP project creates an HMAC key for a service account, the S3-interoperable access mechanism for Cloud Storage. That gives stealthy, long-lived, key-ba
After reaching admin access, an attacker mints an Okta SSWS API token (or registers an OAuth 2.0 service app with admin scopes) rather than relying on the interactive session. The
An attacker controls an Entra application whose service principal holds broad Microsoft Graph application permissions such as Sites.Read.All and Files.Read.All, obtained through ad
An attacker holding a leaked personal access token (PAT) or an over-scoped authorized OAuth/GitHub App token reaches the private repositories of a GitHub organization. They clone s
An attacker abuses domain-wide delegation (DWD) in Google Workspace. A GCP service account is authorized in the Workspace Admin console with broad OAuth scopes, which lets it imper
A leaked Databricks personal access token gives an attacker programmatic access to the workspace REST API. From an unfamiliar IP and outside business hours, they enumerate Unity Ca
An attacker registers a malicious application in Entra ID and sends a user a legitimate Microsoft consent link requesting delegated Graph scopes such as Chat.Read, Files.Read, and
A public repository runs a CI workflow triggered on pull_request_target, which executes in the context of the base repository with access to its secrets. The workflow also checks o
Infostealer malware runs on an employee laptop and copies the browser's saved cookies, including the active session and refresh tokens for the company's SaaS applications. The atta
A leaked AWS access key is used from an unfamiliar IP to abuse Amazon Bedrock. The attacker first probes which foundation models are enabled, disables Bedrock invocation logging to
A Terraform state file in an S3 backend holds plaintext secrets, because Terraform records every resource attribute, including a generated RDS master password and an IAM access key
A compromised AWS credential with SES permissions is used to send phishing from the victim's own verified domain. Because the mail is DKIM-signed by the legitimate domain, it lands
A developer runs npm install and pulls a version of a popular package whose maintainer account was taken over. The package's postinstall script executes on the workstation, reads c
A web application uses an Amazon Cognito identity pool to hand browser clients temporary AWS credentials through GetCredentialsForIdentity. The authenticated role attached to the p
An application role on EC2 is compromised when its temporary credentials are stolen from the instance metadata service. The role was granted secretsmanager:GetSecretValue and ssm:G
An attacker with a foothold on an over-privileged role moves to blind the account before acting further. They call StopLogging on the CloudTrail trail, then DeleteDetector or updat
A decommissioned service left a dangling CNAME in a Route 53 hosted zone pointing at a cloud resource that was deleted but never removed from DNS. An attacker registers a resource
A compromised IAM principal with EC2 permissions creates a snapshot of an EBS volume that backs a production database and then modifies the snapshot's permissions to share it with
A compromised CI principal with ECR push permissions overwrites the production image tag (for example, app:latest) in an ECR repository whose tags are mutable. The poisoned image c
An attacker who compromises a low-privilege role in a peripheral account walks through a chain of permissive trust relationships to reach a sensitive production account. Each hop i
An internal API behind API Gateway is protected by a Lambda authorizer that returns an IAM policy deciding whether a request is allowed. The authorizer is misconfigured in two ways
A service principal holds the User Access Administrator role on a production subscription, which grants the ability to create role assignments but not to use resources directly. An
An Azure DevOps pipeline reads its build steps from a YAML file in the repository and runs them on a self-hosted agent that holds an ARM service connection to a production Azure su
A virtual machine runs a web application with a system-assigned managed identity that has Get and List permissions on a production Key Vault. An attacker who has gained code execut
An attacker with rights to write to a Function App deploys a new HTTP-triggered function into an existing app that holds a managed identity with read access to a production storage
A team's Cloud Build trigger runs on every push to a build repository and executes steps defined in the repo's cloudbuild.yaml. The default Cloud Build service account in the proje
A production GKE deployment pulls its container image from an Artifact Registry repository by the mutable tag :latest. A service account with writer access to that repository is ov
An application service account holds the broad Cloud SQL Admin role rather than the narrow connect permission it actually needs. Its leaked key gives an attacker that role, which i
A user on an Entra-joined Windows endpoint is compromised by malware running with local privileges. The Primary Refresh Token (PRT) is a long-lived credential bound to the device t
An attacker who has reached a privileged Entra role abuses cross-tenant synchronization, a B2B feature that automatically provisions and updates users from one tenant into another.
An attacker who has reached Okta administrative access abuses inbound federation, the feature that lets an external identity provider assert who a user is. They add an attacker-con
An organization believes MFA is enforced everywhere, but its Conditional Access posture has a gap: a policy excludes a set of accounts, does not cover a legacy authentication proto
An attacker with a compromised admin session that holds the Exchange Administrator role creates a single org-wide transport (mail-flow) rule that blind-copies all inbound and outbo
An attacker who has phished a user creates a Power Automate cloud flow under that user's identity that triggers on new mail or on file changes and uses an HTTP or external connecto
An attacker with a compromised Intune Administrator session creates a malicious platform script (or wraps a payload as a Win32 app) and assigns it to the All Devices group. Intune
An attacker is invited as a guest into a Microsoft Teams team, either through a compromised insider or a social-engineering pretext, and that team is connected to a SharePoint site
An attacker phishes a sales-operations user into authorizing a malicious OAuth connected app that requests the api and refresh_token scopes. The user clicks Allow, and the app rece
A persistent self-hosted GitHub Actions runner sits inside the corporate network and processes jobs from a public repository. Because the runner is non-ephemeral, attacker-controll
A Slack bot token (xoxb) and an incoming webhook URL are committed to a public repository in a deleted-but-still-in-history commit. An attacker scrapes the leaked credentials and u
A developer's Atlassian API token is leaked in a build log shared in a support ticket. An attacker pairs it with the developer's email for Basic authentication against the Atlassia
An integration service account in ServiceNow holds a broad admin-adjacent role used by a middleware connector, and its credentials were exposed outside the platform. An attacker au
A storage account access key for a production Azure Blob container is exposed, giving the holder full data-plane control over every blob without touching Azure RBAC or Entra. An at
An attacker delivers a convincing consent prompt for a third-party OAuth application (or a shared Apps Script project) that requests broad Gmail and Drive scopes. A user grants con
An attacker gains a foothold on a help-desk or junior administrator account in Okta that holds a delegated admin role. Using that role, they escalate by assigning a more powerful a
An attacker who reached the on-prem AD FS server exports its token-signing certificate and private key. With that key they forge SAML responses (a Golden SAML) that assert any user
A developer IAM principal has a broad iam:PassRole permission and the ability to create or update a compute resource (a Lambda function). On its own the developer role is limited,
A data science team pulls a pre-trained model from a public model hub and loads it inside a Vertex AI training/serving job. The model is distributed as a Python pickle, which execu
An employee is phished with a link to a reverse-proxy site that sits between them and the real Okta login. They type their password and complete the genuine MFA challenge, but the
AD CS web enrollment (certsrv) accepts NTLM authentication and, by default, does not enforce signing or Extended Protection for Authentication, so an attacker can relay another mac
The certificate authority has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag set in its policy configuration. With that flag, the CA honors a subject alternative name supplied by the requ
A non-administrative principal holds the ManageCA right on the certificate authority (an over-broad delegation). That right lets them change CA configuration and grant themselves t
A certificate template object has an over-permissive access-control list: a low-privileged principal holds write rights (WriteDacl/WriteProperty/WriteOwner) over it. The template i
A certificate template carries the Certificate Request Agent EKU and is enrollable by ordinary users. An enrollment agent certificate lets its holder request certificates on behalf
Certificate-based authentication maps a certificate to an account. Strong mapping uses the SID security extension embedded by the CA; weak mapping falls back to the certificate's U
A certificate template has an issuance policy whose OID is linked to an Active Directory group through msDS-OIDToGroupLink. When a user authenticates with a certificate issued from
Version 1 certificate templates can let a requester specify application policies in the certificate request that are not constrained by the template's defined extended key usages.
An attacker who compromised the certificate authority server exports the CA's own private key and certificate. With the CA private key they can forge certificates for any principal
A non-DC server is configured for Kerberos unconstrained delegation (the TRUSTED_FOR_DELEGATION flag). Any account that authenticates to that server has its full Kerberos TGT cache
Windows Hello for Business key-trust authentication lets an account hold key credentials in its msDS-KeyCredentialLink attribute; a certificate-like key in that attribute can be us
Every workstation in the environment shares the same built-in local administrator password because LAPS was never deployed. An attacker who compromises one endpoint dumps the local
After compromising a child domain, an attacker abuses the intra-forest trust to reach the parent domain. They inject the SID of a parent-domain privileged group (for example Enterp
Legacy authentication protocols (for example IMAP, POP, SMTP AUTH, and older Exchange ActiveSync or basic-auth clients) cannot perform modern multi-factor challenges, and Condition
A service account is configured for constrained delegation with protocol transition (msDS-AllowedToDelegateTo is set and TRUSTED_TO_AUTH_FOR_DELEGATION is enabled, the 'use any aut
noPac chains two 2021 flaws: CVE-2021-42278 (Active Directory did not enforce sAMAccountName naming, so a machine account could be renamed to match a domain controller's name) and
Older Group Policy Preferences (GPP) that set local account passwords store the password as cpassword in an XML file in SYSVOL, encrypted with a static AES key Microsoft published.
Entra ID Seamless Single Sign-On uses a computer account in on-prem AD named AZUREADSSOACC whose Kerberos key signs the tickets that let domain-joined users sign in to the cloud si
Pass-Through Authentication (PTA) lets Entra ID validate cloud sign-in passwords against on-prem AD by handing them to a PTA agent running on a server in the environment. The agent
The tenant has many permanent (standing) Global Administrators and does not use Privileged Identity Management (PIM) to make privileged roles just-in-time. Every standing Global Ad
The domain carries privileged-account hygiene debt that any authenticated user can enumerate from readable AD attributes: a Domain Admin flagged PASSWD_NOTREQD (allowed to have a b
An end-of-life domain controller (an unsupported Windows Server version) is still running, no longer receiving security updates and carrying weak legacy defaults (RC4, no SMB signi
The tenant accumulated enterprise applications and service principals that nobody owns anymore: long-lived client secrets set years ago, broad application (app-only) Graph permissi
A dynamic group in Entra ID auto-populates its membership from a rule over user attributes (for example department equals IT, or a custom attribute), and that group grants meaningf
Self-service password reset is configured weakly: it requires only one verification method, accepts methods an attacker can satisfy or spoof (such as a mobile number or secondary e
ADCS security depends not only on templates and the CA service but on AD objects in the Configuration partition: the CA host's computer account, the Enrollment Services and CA obje
ESC11 is the RPC counterpart to ESC8: instead of relaying NTLM to the CA's HTTP web enrollment, the attacker relays it to the CA's RPC certificate-enrollment interface (MS-ICPR). W
ESC16 is the CA-wide version of ESC9. The certificate authority is configured to omit the SID security extension (szOID_NTDS_CA_SECURITY_EXT) from every certificate it issues, for
Zerologon (CVE-2020-1472) is a flaw in the Netlogon secure-channel cryptography: the AES-CFB8 mode was used with a fixed all-zeros initialization vector, so an unauthenticated atta
An attacker who has gained AWS access with Lambda and IAM permissions turns a serverless function into durable persistence. They modify the function code (or add a layer), point a
An attacker with AWS access that includes SSM permissions does not need SSH, a key pair, or open inbound ports to take over a fleet. Using ssm:SendCommand with the standard shell d
An Azure Function App that has a managed identity exposes a local identity endpoint that returns a token for that identity. If an attacker can run code in the Function, by exploiti
A GCP Cloud Run service or Cloud Function runs as a service account, and code inside it can ask the metadata server for that account's access token. An attacker who can deploy or u
Databricks personal access tokens and service-principal tokens authenticate to the workspace REST API. A long-lived token leaked in code or CI, phished, or taken from a compromised
Slack holds an enormous amount of sensitive content: conversations, files, and the credentials and secrets people paste into channels and DMs. A stolen Slack token, leaked in code
Containers in ECS and EKS get AWS credentials from a local endpoint: ECS tasks read the task role from the container credential endpoint, and EKS pods get a role through pod identi
An Amazon Cognito identity pool hands temporary AWS credentials to authenticated and, if enabled, unauthenticated guest users by assuming IAM roles tied to the pool. The pool id is
An attacker with AWS access does not need to query a database row by row to steal it. With RDS permissions they create a snapshot of a production database, then modify the snapshot
Entra ID applications and service principals authenticate with their own credentials, separate from any user. An attacker who can manage application credentials, through Applicatio
An Azure storage account has two account keys that grant full access to everything in it: all blobs, files, queues, and tables. The keys do not expire, and shared-key authenticatio
GCP organization policies are the guardrails that enforce security across the whole org: blocking service-account key creation, preventing public IPs and public buckets, restrictin
Inside a GKE cluster, Kubernetes RBAC decides who can do what. An attacker who lands a foothold, a compromised pod, a stolen service-account token, or a namespace-scoped identity w
ServiceNow is the system of record for IT and often the business: incidents, the CMDB, user and employee records, and the sensitive details and occasional credentials people put in
Notion holds a company's documents, wikis, runbooks, plans, and the secrets and personal data that end up in pages and databases. An internal integration token, leaked in code or p
A cloud content-management tenant (Box) holds the company's documents. An attacker gets an over-scoped third-party app authorized (consent phishing, or a stolen app config with ent
A support platform (Zendesk) holds customer tickets, contact records, and the secrets customers sometimes paste into tickets. An attacker obtains an API token (leaked in code, phis
An observability platform (Datadog) ingests the organization's logs, metrics, and infrastructure inventory. An attacker who finds a leaked API key plus application key (committed t
An attacker with AWS access plants durable persistence using serverless orchestration instead of a host. They create an EventBridge rule on a schedule (or on an IAM/console event)
An Azure Logic App runs a workflow as a managed identity that often holds standing rights in the subscription. An attacker who can edit a Logic App (or trigger one with an HTTP req
GCP Pub/Sub carries the organization's event stream - app events, audit data, sometimes records with PII. An attacker with Pub/Sub permissions creates a new subscription on a busy
CVE-2024-21410 is an Exchange Server elevation-of-privilege via NTLM relay: an attacker coerces a victim's NTLM credentials and relays them to an on-prem Exchange Server that does
An e-signature platform (DocuSign) holds executed contracts, signer PII, and a trusted channel that recipients open. An attacker with a stolen API token or an over-scoped connected
AWS IAM Roles Anywhere lets on-prem and non-AWS workloads obtain temporary role credentials by presenting an X.509 client certificate that chains to a registered trust anchor. An a
A compromised analytics role with broad Glue and Athena permissions is used to run ETL jobs and SQL queries against the S3 data lake, then write results to an attacker-controlled S
An attacker with sns:Subscribe permission attaches an external HTTPS or email endpoint to a sensitive SNS topic (security alerts, transaction notifications, password-reset events),
An attacker with kms:PutKeyPolicy on a customer-managed CMK rewrites the key policy to grant their own AWS account kms:Decrypt (and Encrypt). With the key now trusting an external
An attacker who can edit a buildspec or modify a CodePipeline stage injects commands that exfiltrate the CodeBuild service-role credentials and pipeline environment secrets, then s
An over-privileged analytics role uses redshift:GetClusterCredentials to obtain temporary database credentials, connects to the warehouse, and runs UNLOAD to dump whole tables of c
Ahead of a destructive/ransomware action, an attacker with AWS Backup permissions deletes recovery points and weakens or removes vault protections (vault access policy, retention,
An attacker who controls the AWS account's registered root email (and recovery phone) uses the password-reset flow to take over the root user, then defeats or re-rolls MFA to lock
An identity holding the Azure VM Contributor role pushes a CustomScriptExtension to a production virtual machine. The extension runs the attacker's payload as SYSTEM on Windows (or
An attacker who has reached Security Admin / Owner scope methodically blinds the SOC before acting: Microsoft Defender for Cloud plans are downgraded to Free, Sentinel analytics ru
An attacker with Resource Policy Contributor or Owner scope edits or deletes the Azure Policy assignments that enforce guardrails, for example a deny-public-storage policy and an a
Before detonating ransomware, an attacker with Backup Contributor or Owner scope disables soft delete on the Recovery Services vault and deletes the backup items protecting product
A web application's managed identity was granted db_datareader (and in practice broader) on an Azure SQL database that holds customer records. After compromising the app, the attac
A managing tenant (an MSP, or an attacker who registered a rogue managed-services offer) holds an Azure Lighthouse delegation over the customer's subscription that is far broader t
An attacker with Contributor on the front-door and WAF resources weakens the edge protections: managed rule sets are switched from Prevention to Detection (or disabled), and routin
A shared access signature (SAS) key with the Listen claim for an Event Hub (or Service Bus topic) leaks from a config file. The attacker uses the key to register a new consumer gro
An attacker abuses Azure Arc to gain durable control over hybrid servers: they either onboard attacker-staged machines or hijack the Arc Connected Machine agent on existing on-prem
A VPC Service Controls perimeter protects a GCS bucket and a BigQuery dataset holding customer exports, but an over-trusted service account is in the perimeter's access policy via
An attacker who has impersonated a service account with logging admin rights moves to blind detection before the main objective. They delete the aggregated log sink that exported a
An attacker who has gained IAM rights to modify Compute resources adds an SSH public key to project-wide instance metadata and grants their principal an OS Login admin role, giving
An internal application is published behind Identity-Aware Proxy so only specific users should reach it without a VPN. An over-broad IAM binding grants roles/iap.httpsResourceAcces
Binary Authorization is supposed to admit only signed, attested container images to GKE and Cloud Run. An attacker with deploy rights abuses the breakglass annotation (or a policy
An attacker who has gained access to a developer's Cloud Shell session harvests the gcloud Application Default Credentials and cached OAuth tokens that grant the developer's GCP ac
An attacker who has obtained rights over Cloud KMS schedules destruction of the CryptoKey versions used to encrypt production backups and data (CMEK). Destroying the key makes ever
Workday Integration System Users (ISUs) are non-human service accounts that authenticate integrations to the tenant. An attacker obtains the credentials for an over-privileged ISU
A malicious or over-scoped OAuth app installed in the Zoom account holds a recording:read scope and a long-lived app token. An attacker drives that token through the Zoom recording
An Asana Personal Access Token (PAT) is leaked, for example committed to a public repo or pasted into a CI log. The attacker uses it to enumerate the workspaces, teams, and project
A HubSpot private-app access token is leaked, for example exposed in a frontend bundle or a shared script. The attacker drives the CRM API with that token to bulk-export contacts,
A PagerDuty REST API key is stolen. Rather than steal data, the attacker uses it to blind the responders: they create broad maintenance windows and suppress/auto-resolve alerts so
An attacker with push or merge-request access to a GitLab project edits .gitlab-ci.yml (or adds a job) to echo and exfiltrate the project's masked CI/CD variables, which hold cloud
An attacker with job-configure or pipeline-edit access in Jenkins runs a pipeline that pulls the controller's stored credentials, either by binding many credentials with withCreden
An attacker obtains an Auth0 Management API token (a machine-to-machine credential with tenant-admin scopes) and uses it to plant persistence in the identity provider itself: a rog
A leaked Twilio API key (SID + secret) is used by an attacker to send SMS phishing from the organization's own trusted sender numbers and to reconfigure messaging-service routing s
A stolen SendGrid API key is used to send phishing through the organization's own verified sending domain, so the messages pass DKIM and SPF and arrive in inboxes looking fully leg
A leaked Stripe restricted API key with refund and customer-read permissions is used to issue a wave of fraudulent refunds to attacker-controlled destinations and to read customer
An attacker hijacks an admin session (and abuses SCIM) on the organization's SaaS password manager and exports shared vault items, then begins using the cloud and SaaS credentials
An attacker with a stolen CI session/token runs a job that dumps CircleCI context and project environment variables, then uses the cloud OIDC credentials and provider keys those va
A phished or credential-stuffed PyPI maintainer account is taken over and used to publish a backdoored release of a popular package, which downstream consumers then pull during nor
A stolen Terraform Cloud / HCP API token is used to read state outputs (which often contain plaintext secrets) and to queue applies that change real infrastructure. The acting prin
A stolen Cloudflare API token is used to edit DNS records (pointing a subdomain and proxied traffic to attacker infrastructure) and to disable WAF and firewall rules so the protect
An attacker who replicated the KRBTGT account hash from a domain controller (via DCSync) now forges Kerberos ticket-granting tickets offline for any user and SID with an arbitrary
An attacker with sufficient rights writes a malicious access control entry — for example GenericAll for a low-privileged principal they control — onto the AdminSDHolder object in t
A certificate template on the enterprise CA grants enrollment to a broad, low-privileged group and carries the Any Purpose EKU (or no EKU at all), with no manager approval and no e
An attacker with high privilege (effectively domain-level rights) temporarily registers a rogue domain controller by creating the server and nTDSDSA objects in the configuration pa
An attacker who gained local administrator and an interactive shell on the ADCS certificate authority host CA01 reaches the CA's signing-key context. Whether the key lives on a Yub
An attacker with write access to a privileged account's altSecurityIdentities attribute adds an explicit certificate mapping that points to a certificate they control. Because the
An attacker holding GenericWrite or GenericAll over a computer object — or who simply creates a new computer using the default ms-DS-MachineAccountQuota of 10 — writes msDS-Allowed
An attacker who already holds Domain Admin injects the Skeleton Key patch into the LSASS process on domain controllers. This adds a single master password that authenticates as any
An attacker abuses Microsoft Configuration Manager (SCCM) two ways: they recover the Network Access Account (NAA) credentials, which are distributed in policy and recoverable from
An attacker pivots across Microsoft SQL Server linked servers, hopping from a low-value instance to a privileged one through trusted linked-server logins. On a reachable instance t
An operator holding the Authentication Administrator role issues a Temporary Access Pass (TAP) for a target user, signs in with that TAP, and uses the bootstrap session to register
A regional helpdesk operator is given an AU-scoped role (for example User Administrator) over an Administrative Unit that, through a dynamic membership rule and a few manual adds,
An attacker with rights to manage an app registration adds a federated identity credential (FIC) to it — an external OIDC issuer plus a subject claim — and then mints tokens for th
An attacker who can delegate or edit an Entitlement Management catalog tampers with an access-package assignment policy: they switch an approval-required policy to auto-assign (or
After a phishing alert, the team disables a user and resets the password, believing access is cut. But the attacker had already stolen an access token, and against resources that d
An attacker who obtained Okta admin access builds an Okta Workflows flow — Okta's low-code automation engine — that quietly provisions accounts, exfiltrates API tokens, and resets
An attacker with Okta admin access weaponizes Okta's SCIM outbound provisioning. By creating a user, assigning it to apps, and pushing entitlement changes, Okta provisions backdoor
An attacker compromises the on-prem Windows host running the Okta AD agent — the connector that bridges Okta to Active Directory for delegated authentication and provisioning. In d
An attacker with Okta admin access registers or modifies a token (or registration) inline hook so that Okta calls an attacker-controlled endpoint during token issuance and injects
An admin-level attacker quietly rewrites Okta's defenses rather than attacking a user. They add their own IP to a trusted network zone (or widen a blocklist's exceptions) so IP-bas
An Okta OAuth 2.0 service app authenticates with the client-credentials grant using a private key — no user, no interactive sign-in, no MFA. An attacker who steals that private key
An attacker with Intune policy-edit rights loosens a device compliance policy (or its baseline) so that an attacker-controlled, non-compliant device is reported compliant. Because
An attacker who holds Intune administrative rights issues bulk remote wipe and retire actions against enrolled devices, weaponizing a legitimate management capability as endpoint s
An attacker imports rogue Windows Autopilot device identities (hardware hashes) or abuses weak enrollment restrictions to provision attacker-controlled devices into the tenant as t
An attacker abuses the Intune SCEP or PKCS certificate connector and its issuance profiles to mint device or user certificates that are valid for authentication, effectively bypass
A scope-tag or role-assignment misconfiguration lets a limited Intune operator — meant to manage only a small device group — escalate to managing all devices and policies. By assig
An attacker with Intune configuration rights pushes a malicious configuration profile — a rogue proxy/VPN, a Wi-Fi profile, and an attacker-controlled trusted-root certificate — to
A Microsoft Teams incoming-webhook URL leaks (from a repo, a script, or a screenshot) and an attacker uses it to post messages straight into a channel that look like trusted intern
A service principal in Microsoft 365 holds broad mailbox-impersonation rights — either a legacy ApplicationImpersonation RBAC role or the application-wide full_access_as_app / Mail
An actor holding an eDiscovery Manager or compliance-search role uses Microsoft Purview to run a content search spanning every mailbox plus SharePoint and OneDrive, then exports th
After compromising an admin session, the attacker runs Add-MailboxPermission to grant a FullAccess delegate right on executive mailboxes to an account they control. FullAccess dele
An over-permissioned role stops the AWS Config configuration recorder and disables Amazon Inspector to blind compliance drift detection and vulnerability scanning, complementing th
An over-permissioned application role with broad dynamodb actions either runs full table Scans or invokes a point-in-time ExportTableToPointInTime to an S3 bucket to steal table co
An attacker with permission to edit SQS queue attributes rewrites a queue's resource policy to add a cross-account principal as an authorized consumer, quietly tapping an internal
A Cognito user pool app client is misconfigured — open self-signup, no client secret, overly broad OAuth scopes, and exposed admin user APIs — letting an attacker register or obtai
An attacker who reaches the management account or a delegated StackSets administrator uses service-managed StackSets to deploy a malicious stack to every account in the AWS Organiz
A Cosmos DB account primary key (embedded in a connection string) leaks from an app-config repo. The key is a data-plane master credential: it grants full NoSQL read/write directly
A compromised identity holds broad Reader across the tenant. The attacker uses Azure Resource Graph — the KQL query service that indexes every resource across all subscriptions — t
An attacker with VM contributor-style RBAC uses Azure Bastion for browser-based access and the VM Run Command extension to execute scripts on VMs through the control plane — agentl
A developer's Azure DevOps personal access token (PAT) leaks. The PAT is a long-lived bearer credential scoped to the developer's permissions: the attacker clones private repos, re
An attacker with Data Factory contributor-style access reads or reuses the linked-service credentials that connect a data factory to its data stores — or simply rides the factory's
An identity holds an over-broad datastore.user or datastore.owner role — or a leaked service-account key carries it — and an attacker uses it to bulk-read or export every document
An attacker with the compute.securityAdmin role edits a Cloud Armor security policy attached to a backend service — removing WAF and deny rules or inserting a permissive allow — to
An attacker creates a BigQuery scheduled query that runs as a service account and continuously appends or exports new rows from a sensitive table into an attacker-owned dataset or
An attacker with broad compute permissions creates a snapshot or image of a sensitive persistent disk and then shares or copies it to an attacker-controlled project, where they att
A NetSuite token-based-authentication (TBA) integration role — meant for a nightly finance sync — has its consumer key and token secret leaked. An attacker replays the token from a
A personal access token (PAT) issued for a BI embed integration — Tableau or Power BI serving dashboards into a customer portal — is leaked from an embedding application's config.
A MongoDB Atlas database user's credentials are leaked from an application config while the cluster's IP access list was widened to 0/0 during a migration and never tightened. An a
Stolen Docker Hub credentials for a published base-image repository let an attacker push a poisoned image to a widely-used tag. Every downstream pipeline that pulls that base image
A cloud IAM role's OIDC trust policy for GitHub Actions is too broad: it trusts the GitHub OIDC issuer but its subject condition uses a wildcard (or omits the repo/branch claim), s
A Vault token attached to an over-broad policy is leaked from an application environment. Because the policy grants read on a wide path glob, the token reads many secret paths in a
An attacker with ArgoCD admin access (or leaked Git repo credentials) commits malicious manifests to the GitOps source of truth, and the ArgoCD controller faithfully syncs them int
An attacker with author/deploy permissions plants an Apex trigger (or a record-triggered Flow) that quietly exfiltrates records to an external endpoint every time a row is written.
An attacker with admin or script-author rights plants a malicious server-side business rule (backed by a script include) that runs on record operations to persist access and silent
On a Windows Server 2025 domain, an attacker with only create/write permission over an OU creates a delegated Managed Service Account (dMSA) and sets its migration attributes — msD
Having stolen the KRBTGT key, an attacker requests a real TGT for a low-privileged user through the normal AS-REQ flow, then decrypts that legitimate ticket with the KRBTGT key, ed
A Domain Admin session extracts the domain DPAPI backup key from a domain controller. That single RSA key is the recovery key DPAPI uses to protect every domain user's master keys,
A member of the DnsAdmins group sets the ServerLevelPluginDll registry value on the Microsoft DNS service, pointing it at an attacker-supplied DLL on a network share. When the DNS
A member of the Backup Operators group leverages SeBackupPrivilege on a domain controller to read the locked NTDS.dit database and the SYSTEM registry hive via a raw or shadow-copy
An attacker who controls the WSUS server (or can man-in-the-middle its HTTP communications) approves and pushes a malicious update consisting of a signed binary plus a command line
A service principal in the tenant holds a dangerous Microsoft Graph application permission — RoleManagement.ReadWrite.Directory — that lets it write directory role assignments with
An attacker holding Global Administrator modifies a custom domain's federation settings — adding a rogue token-signing trust — so the tenant will accept SAML/OIDC tokens that the a
A user is phished and an attacker captures a refresh token — either from a consented OAuth app or from a token stolen off the device. The help desk resets the user's password and c
An attacker with sufficient rights abuses Entra Application Proxy and its on-prem connector to publish an internal application to the internet — or hijacks an existing published ap
An attacker steals a service principal's client secret or certificate (from a leaked pipeline variable or a config file) and uses it to authenticate to the tenant. Because Conditio
An attacker enrolls a rogue endpoint into Okta — or abuses an enrollment gap — so FastPass and device assurance treat the device as managed and trusted. That satisfies a device-bas
An attacker with lambda:PublishLayerVersion publishes a new version of a shared Lambda layer that dozens of functions import, embedding backdoor code that runs inside every functio
An attacker with ram:CreateResourceShare quietly shares VPC subnets and Route 53 resolver rules from the production account to an attacker-controlled account, creating a stealthy c
An attacker with the right IAM permissions calls ec2-instance-connect:SendSSHPublicKey to push an ephemeral 60-second SSH public key to a running instance and then connects, gettin
An attacker plants malicious instructions inside a document the Bedrock Agent ingests through its knowledge base, so when the agent retrieves that document it follows the embedded
A misconfigured AppSync GraphQL API with an over-broad API key and no field-level authorization lets an attacker query resolvers that read backend DynamoDB and RDS data they should
An attacker with App Service Contributor on a production web app opens the Kudu/SCM advanced-tools debug console and runs commands inside the app's worker. From there they pull the
An attacker who obtained an APIM subscription key edits the gateway policy on a production API: they remove the validate-jwt inbound check that enforced caller authentication and a
An attacker with access to an Azure Machine Learning workspace runs a notebook on a compute instance and uses it to call the instance metadata endpoint, stealing the compute/worksp
An attacker with write access to Event Grid adds a new event subscription on a production system topic and points its delivery webhook at an attacker-controlled endpoint, silently
An attacker who holds the RBAC to manage Azure Update Manager edits a maintenance configuration and attaches a malicious pre/post script (or a tainted package source) so that the n
An attacker with write access to a Cloud Composer environment's DAGs bucket uploads a malicious Python DAG. Airflow's scheduler parses the new file and the workers execute its task
An attacker who has obtained project-level access creates a Cloud Scheduler job that fires attacker-controlled code on a recurring cron — an HTTP target, a Pub/Sub publish, or a Cl
An attacker with deploy rights in Apigee modifies an API proxy revision: they relax a VerifyAPIKey/OAuth policy, expose a backend target that was meant to stay internal, and add a
An attacker with Pub/Sub or Eventarc edit rights changes a push subscription's endpoint (or an Eventarc trigger's destination) to an attacker-controlled URL. The event stream — whi
A role binding meant to be restricted by an IAM Condition is bypassed because the CEL expression relies on a request-time attribute the principal can control (or is written loosely
An attacker obtains Jamf Pro administrator and API credentials and uses the MDM server itself as a deployment weapon. They create a new policy and a malicious configuration profile
A leaked Shopify Admin API access token, belonging to an over-scoped custom app, is used to page through customers and orders and pull customer PII, order history, and limited paym
A stolen JFrog Artifactory access token is used to publish a poisoned artifact into a shared repository that every downstream build resolves from. The principal is the token, and t
An attacker with access to a Zapier workspace builds a new Zap that pipes records out of a connected app (CRM, email, or cloud storage) to an attacker-controlled webhook sink. The
A stolen Vercel deploy token is used to push a malicious production deployment that ships a client-side skimmer (or defacement) directly to live site visitors. The principal is the
A stolen Sentry auth token lets an attacker download the project's uploaded source maps to reverse-engineer the application and discover internal logic and endpoints, and read erro
An attacker abuses Plaid access tokens and the application's client_id/client_secret to call the Plaid API and harvest end-users' linked bank-account balances and transaction histo
An attacker publishes or takes over a popular VS Code / OpenVSX extension that, on install or auto-update, steals developer secrets — environment variables, tokens, and SSH keys —
A stolen Grafana service-account token gives an attacker read access to dashboards and data sources, but the distinct danger is what they do next: they mute and delete alert rules
Fivetran connectors hold standing credentials to read source systems and write to the warehouse, which makes the data-movement layer itself a path to the data. An attacker who cont
A stolen Duo Admin API key lets an attacker reach into the MFA system itself: it can generate a bypass code for a target user, enroll an attacker-controlled device, or weaken an au
A stolen Ping (PingOne or PingFederate) OAuth client secret or admin token sits at the identity provider, so it can mint access tokens and reach every app federated behind Ping. Th
A stolen LaunchDarkly API token can flip feature flags to expose hidden or admin functionality, or turn off a security control that the application gates behind a flag. The distinc
A Postman workspace, collection, or environment that was left public exposes the secrets developers embedded in it: API keys, bearer tokens, and connection strings the attacker the
Retool internal-tool apps connect to resources (databases and APIs) using stored, privileged credentials, so the app itself holds standing access to production. An attacker who rea
A stolen Confluent Cloud API key lets an attacker join the streaming platform and add a consumer that taps sensitive topics, intercepting the live event flow including PII as it mo
A developer opens a Codespace for a repo whose devcontainer was tampered with by a malicious pull request. The postCreateCommand runs attacker code inside the cloud dev environment
A dbt Cloud service token leaks from a misconfigured CI variable. The attacker uses it to trigger a job that runs attacker-authored models and macros, which execute arbitrary SQL i
OneLogin admin API credentials leak from an automation host. Because OneLogin is the single sign-on IdP, those credentials are effectively Tier-0: the attacker uses the admin API t
An Amplitude API key and secret key leak from a public client bundle and a config repo. The attacker uses the export API to bulk-export behavioral and event data: device identifier
A Segment source write key and an access key leak. Segment is the Customer Data Platform that unifies identity across systems, so the attacker can do two distinct things: read/exfi
A Webflow CMS/site API token leaks from a build pipeline. Because the token controls the live public website, the attacker does two things visitors can feel: defaces published cont
A read-only Wiz API token leaks from a SOAR integration. Wiz is the cloud security posture tool, so its findings are a curated, prioritized map of the organization's most exploitab
The Gentlemen (tracked as Phantom Mantis, run by LARVA-368) is a Russian-speaking ransomware-as-a-service crew that claims 478 victims. The affiliate enters through an internet-fac
A finance analyst at Northwind Robotics receives an urgent Teams video call from someone who looks and sounds exactly like the CFO. The audio and video are AI-generated. The 'CFO'
No scenarios match that search. Try a different term or system.
Looking for what is new? See the library updates. Start training free in the quickstart.
