Chain Linking
How actions in one phase enable the next, forming a deterministic chain from initial access to impact. Each capability below shows the state transition it produces and the techniques it most commonly enables.
Interactive linkage mapTrace all 156 technique-to-technique links across the chain.
IngressING
How malware enters systems. 7 techniques.
01Removable Media & File Transfer
INGRESS → Media Delivery → Trust Establishment → ACTIVATION.
02Malvertising & Drive-By Downloads
INGRESS → Web Exposure → Silent Payload Delivery → ACTIVATION.
03Supply Chain Compromise
INGRESS → Trusted Update or Dependency → ACTIVATION.
04Credential Abuse
INGRESS → Authenticated Access → ACTIVATION.
05Malicious or Compromised USB Devices
INGRESS → Peripheral Trust → Automatic Device Execution → ACTIVATION
06Watering Hole Attacks
INGRESS → Targeted Web Exposure → ACTIVATION.
07External Remote Services
INGRESS → Authenticated Remote Access → ACTIVATION.ActivationACT
Running malicious code. 7 techniques.
01User-Executed Files
ACTIVATION → Code Executing → reinforced within ACTIVATION.
02Script-Based Execution
ACTIVATION → Code Executing → reinforced within ACTIVATION.
03Service-Based Execution
ACTIVATION → Code Executing → ANCHORING.
04DLL Side-Loading or Hijacking
ACTIVATION → Code Executing → CONCEALMENT.
05WMI-Based Execution
ACTIVATION → Code Executing → EXPANSION.
06Browser Extension Execution
ACTIVATION → Code Executing → EXTRACTION.
07Boot / Firmware Execution
ACTIVATION → Code Executing → ANCHORING.AnchoringANC
Maintaining presence. 8 techniques.
01Startup & Logon Execution
ANCHORING → Presence Assured → reinforced within ANCHORING.
02Scheduled & Triggered Execution
ANCHORING → Presence Assured → reinforced within ANCHORING.
03Service & Daemon Persistence
ANCHORING → Presence Assured → CONCEALMENT.
04Registry-Based Persistence
ANCHORING → Presence Assured → CONCEALMENT.
05Browser-Based Persistence
ANCHORING → Presence Assured → CONCEALMENT.
06WMI & Event Subscription Persistence
ANCHORING → Presence Assured → CONCEALMENT.
07Fileless & In-Memory Persistence
ANCHORING → Presence Assured → CONCEALMENT.
08Boot & Pre-OS Persistence
ANCHORING → Presence Assured → CONCEALMENT.ConcealmentCON
Avoiding detection. 10 techniques.
01Obfuscation & Packing
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
02Fileless Malware Execution
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
03Security Tool Tampering
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
04Masquerading & Impersonation
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
05Environment & Sandbox Evasion
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
06Process Injection
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
07Polymorphism & Metamorphism
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
08Log & Artifact Manipulation
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
09Living-off-the-Land for Evasion
CONCEALMENT → Visibility Degraded → reinforced within CONCEALMENT.
10Anti-Forensics & Cleanup
CONCEALMENT → Visibility Degraded → EXPANSION.ExpansionEXP
Spreading within networks. 10 techniques.
01Living-off-the-Land Lateral Movement
EXPANSION → Foothold Widened → reinforced within EXPANSION.
02Credential Reuse & Relay
EXPANSION → Foothold Widened → reinforced within EXPANSION.
03Pass-the-Hash / Pass-the-Ticket
EXPANSION → Foothold Widened → reinforced within EXPANSION.
04Remote Service & Protocol Abuse
EXPANSION → Foothold Widened → reinforced within EXPANSION.
05Network Share Propagation
EXPANSION → Foothold Widened → reinforced within EXPANSION.
06Worm-like Self-Propagation
EXPANSION → Foothold Widened → reinforced within EXPANSION.
07Privilege Escalation Across Hosts
EXPANSION → Foothold Widened → reinforced within EXPANSION.
08Identity & Trust Relationship Abuse
EXPANSION → Foothold Widened → reinforced within EXPANSION.
09Directory Services Targeting
EXPANSION → Foothold Widened → EXTRACTION.
10Cloud & Hybrid Lateral Movement
EXPANSION → Foothold Widened → EXTRACTION.ExtractionEXT
Stealing data. 10 techniques.
01HTTP / HTTPS Data Exfiltration
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
02DNS Tunneling
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
03Cloud Storage Abuse
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
04Messaging and Social Platform Channels
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
05FTP / SFTP / FTPS Transfer
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
06Tor / Proxy / VPN Anonymization Channels
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
07Encrypted Command-and-Control Channels
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
08Removable Media Data Extraction
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
09Steganographic Data Transfer
EXTRACTION → Impact Realized → reinforced within EXTRACTION.
10Multi-Channel Redundant Exfiltration
EXTRACTION → Impact Realized → reinforced within EXTRACTION.