Attack Chains

Tools change constantly. Loaders, C2 frameworks, ransomware brands, stealer families, all of it rotates. The prerequisite conditions at each stage don't. These mapped chains show how every actor converges on the same chokepoints regardless of toolset. Detect the chokepoint, catch any actor.

Why Map Attack Chains?

Map enough threat actors against the same kill chain and a pattern falls out fast. Independent groups with different tools, different infrastructure, and different affiliations all converge on the same techniques at each stage.

That convergence isn't coincidence. It's architecture. Lateral movement requires authentication and remote process creation. File encryption requires stopping backup services and deleting shadow copies. The OS and the network dictate those prerequisites, not the attacker. The tools rotate. The requirements don't.

That's where the ROI is. Techniques that show up under every actor in the matrix are universal chokepoints. One detection rule covers every group.

Methodology adapted from Kaspersky's Common TTPs of Modern Ransomware Groups (2022).

Cross-Chain Ecosystem

No chain runs in isolation. Infostealers harvest the credentials that fund ransomware. AiTM kits steal the sessions that enable account takeover and BEC.

Infostealer Chain → credentials sold to IABs → Ransomware Chain

AiTM / Phish Chain → session tokens → account takeover → BEC / Double Extortion

Real-world examples. Snowflake breach (2024): infostealer creds led to 165+ orgs compromised. · RansomHub: ClickFix → stealer → IAB → ransomware. · Scattered Spider: AiTM → Okta session → lateral movement → ransomware.

? How to read an attack chain

Stages Kill chain phases from initial access to impact

Actors Threat groups or families tracked in this chain

TTP Overlap Color-coded cells show which actors use each technique

Convergence Techniques used by ALL actors = highest detection ROI

Chokepoint Links to the Detection Chokepoints page for that stage

Ecosystem Arrows show how chains feed into each other

Ransomware

Ransomware Attack Chain

Initial Access → Credential Access → Lateral Movement → Defense Evasion → Impact. BlackBasta, LockBit 3.0, Akira, Alphv/BlackCat, and Play mapped against the same five chokepoints to show where every group converges.

5 actors tracked 5 chokepoints Avg TTR <24 hrs View chain

Infostealer

Infostealer Attack Chain

Distribution → Execution → Collection → Exfiltration → Monetization. RedLine, LummaC2, Vidar, StealC, and Raccoon mapped through the full chain, including how harvested credentials feed the RaaS ecosystem downstream.

5 families tracked 5 chokepoints 15M+ infections/yr View chain

AiTM

AiTM / Phishing Kit Attack Chain

Lure Delivery → Proxy Interception → Token Harvest → Account Takeover → Persistence & Objectives. Tycoon 2FA, Evilginx, EvilProxy, Sneaky 2FA, and Device Code Flow. Every kit bypasses MFA the same way: by stealing the session token, not the password.

5 kits tracked 5 chokepoints MFA bypass focus View chain

Hypervisor

Hypervisor Compromise Attack Chain

Initial Access → Mgmt Plane Takeover → Credential Theft → Persistence → Lateral Movement → Impact. BRICKSTORM/UNC5221, UNC3886, Scattered Spider, Play, and ALPHV. All operating beneath the guest OS, where EDR cannot see them.

5 actors tracked 6 stages VMware vSphere focus View chain

Identity

AD & Identity Domination Attack Chain

Initial Access → Credential Access → Privilege Escalation → Lateral Movement → Persistence → Impact. APT29, Storm-0501, Storm-2372, Scattered Spider, and ransomware operators. All exploiting the same protocol-level invariants from Kerberos through to Entra ID.

5 actors tracked 6 stages AD + Entra ID View chain