Resource / Annotated Scenarios

20 Annotated Attack Path Examples

A definitive curated set of real-world attack scenarios mapped to the TLCTC framework. Each example demonstrates correct cluster assignment, attack path notation, data risk event classification, and the causal reasoning behind every mapping decision.

Standard Alignment

All examples follow the normative rules of the TLCTC v2.0 white paper. Cluster assignments are anchored in generic vulnerabilities (cause-side), not in outcomes or technique labels.

Notation Reference

SymbolMeaning
#NTLCTC Cluster number
Sequential causal link
+Parallel / simultaneous clusters
→[Δt=Xm]Temporal gap (velocity) between steps (edge annotation)
‖[context][@Src→@Tgt]‖Domain / trust boundary crossing
+ [DRE: C]Data Risk Event — Loss of Confidentiality (appended to step)
+ [DRE: I]Data Risk Event — Loss of Integrity (appended to step)
+ [DRE: A]Data Risk Event — Loss of Availability/Accessibility (appended to step)
Note on "Loss of Availability/Accessibility"

TLCTC v2.0 uses [DRE: A] for both. Pedagogically, we distinguish:
LoAc: System UP, data inaccessible (e.g., ransomware).
LoAv: System DOWN (e.g., DDoS).
This distinction clarifies defense: LoAc needs backups; LoAv needs capacity scaling.

Example 1: Classic Ransomware

Scenario

An employee received a phishing email pretending to be from the IT department. He clicked the link, entered his credentials on a fake login page, and shortly after the attacker used the stolen credentials to log into the corporate VPN. Within 45 minutes the attacker deployed ransomware across multiple servers.

Attack Path
#9 →[Δt=5m] #4 →[Δt=35m] #1 →[Δt=5m] #7 + [DRE: C, A]
Analysis
  • #9 Social Engineering: Phishing email with fake login page manipulates the human into disclosing credentials. Generic vulnerability: human psychological susceptibilities.
  • #4 Identity Theft: Stolen credentials applied to the corporate VPN. This is the use of credentials (acquisition was a LoC consequence of #9).
  • #1 Abuse of Functions: After VPN access, the attacker uses legitimate VPN and network navigation functions (SMB, RDP) to locate servers. No code flaw.
  • #7 Malware: Ransomware binary deployed and executed on servers (FEC).

Why NOT LoAv: Servers still run; OS operational. Data is inaccessible (LoAc). If system files encrypted → software failure → LoAv.

Velocity note: Fast attack (< 1hr). 35m gap suggests recon. 5m deploy suggests pre-staged tooling.

Example 2: Supply Chain Attack (Signed Update)

Scenario

The organization uses a popular EDR solution from Vendor X. A malicious update was signed with the vendor's compromised certificate and pushed to all customers. After installation, the update executed a backdoor that beaconed out and began lateral movement.

Attack Path
#10 ‖[dev/update][@Vendor→@Org]‖ →[Δt=2m] #7 →[Δt=15m] (#1 + #4) + [DRE: C]
Analysis
  • #10 Supply Chain Attack: The Trust Acceptance Event. Systems install update because it is signed by a trusted vendor. (Litmus test: Removing trust link prevents attack).
  • ‖Boundary‖: Crossing from vendor dev/signing env to org production via update channel.
  • #7 Malware: Backdoor is foreign executable code (FEC).
  • (#1 + #4): Parallel lateral movement (discovery + credential use).

Why #10 and not #2: Vendor build system was exploited (#2), but for the org, the relevant cluster is #10 (trust dependency).

Example 3: Business Email Compromise (BEC)

Scenario

Attackers compromised a supplier's email account via password spraying. They then sent a fake invoice to the finance department requesting a wire transfer to a new account. The employee approved the payment.

Attack Path
#4 [context=supplier] →[Δt=3d] #4 ‖[email][@Supplier→@Org]‖ →[Δt=2h] #1 + [DRE: I]
Analysis
  • #4 Identity Theft (supplier): Password spraying = credential use at AuthN point. No code flaw.
  • #4 Identity Theft (cross-domain): Impersonation via compromised supplier email.
  • #1 Abuse of Functions: Finance employee uses legitimate payment workflow. Workflow abused because input (invoice) is fraudulent.
  • DRE: I: Financial integrity compromised (fraudulent transaction).

Why NOT #2 for spraying: AuthN works as designed (accepts valid creds). Spraying maps to #4.

Why NOT #9: No direct psych manipulation of employee; deception comes from identity (#4).

Example 4: Cloud API Abuse

Scenario

An attacker discovered an overly permissive AWS IAM role attached to a public S3 bucket. Using the exposed role ARN, they enumerated and exfiltrated sensitive data from multiple buckets over 4 hours.

Attack Path
#1 + [DRE: C]
Analysis
  • #1 Abuse of Functions: IAM/S3 APIs work as designed. Attacker uses legitimate calls (`ListBuckets`, `AssumeRole`). No code flaw, no foreign code, no stolen creds. Exfiltration lasted ~4 hours.
  • Not #4: No credential theft. Public role ARN used directly.
  • DRE: C: Sensitive data exfiltrated.

Defense: Pure configuration/permission issue (Prevent lane: least-privilege).

Example 5: USB Drop

Scenario

An unknown person dropped a USB stick labeled "Executive Bonus 2025" in the company parking lot. An employee plugged it into his workstation. The USB contained a malicious LNK file that executed a PowerShell payload leading to domain admin compromise.

Attack Path
(#8 + #9) ‖[physical][@External→@Org]‖ →[Δt=10s] #7 →[Δt=25m] #4 + [DRE: C, I]
Analysis
  • (#8 + #9) Parallel: #8 Physical delivery (accessibility) + #9 Social Engineering (psychological lure). Both necessary.
  • #7 Malware: LNK triggers PowerShell to execute foreign payload (FEC).
  • #4 Identity Theft: Domain admin creds harvested/used.

Why BOTH #8 & #9: Atomic actions exploit different vulnerabilities. Missing #8 misses delivery; missing #9 misses motivation.

Example 6: MitM + Credential Theft (Evil Twin)

Scenario

Attackers set up a rogue access point mimicking the company guest WiFi. An employee connected, traffic routed through attacker. Attacker intercepted NTLM hash during authentication to SharePoint, then used it to download data.

Attack Path
(#8 + #9) →[Δt=0s] #1 →[Δt=0s] #5 ‖[network][@Local→@User]‖ →[Δt=30s] #4 →[Δt=hours] #1 + [DRE: C]
Analysis
  • (#8 + #9) Setup: Physical deployment + SSID lure (Position Acquisition).
  • #1 Routing: Abusing DHCP/Gateway functions to route traffic.
  • #5 MitM: Interception/Observation from established position.
  • #4 Identity Theft: Use of captured hash (Pass-the-Hash).
  • #1 Access: Using authenticated SharePoint functions to download data.

Dual-nature: Credential acquisition maps to enabling cluster (#5). Use maps to #4.

Example 7: Modern Ransomware with Lateral Movement

Scenario

Initial access via spear-phishing. Lateral movement via RDP to DC, Cobalt Strike deployment, then ransomware on 200+ systems 14 hours later.

Attack Path
#9 →[Δt=15m] #4 →[Δt=2h] (#1 + #4) →[Δt=1h] #7 →[Δt=10h] #7 + [DRE: C, A]
Analysis
  • #9 Social Engineering: Targeted spear-phishing.
  • (#1 + #4): RDP (legitimate function #1) + Credential use (#4) in parallel.
  • #7 Cobalt Strike: C2/Persistence FEC.
  • #7 Ransomware: Encryption FEC. (Distinct from Cobalt Strike).

Example 8: Cloud IDP Compromise

Scenario

Vishing attack on IDP help desk. Employee tricked into resetting MFA for privileged customer account. Attacker logs in, accesses OAuth tokens, exfiltrates data from Salesforce/Git.

Attack Path
#9 ‖[support][@Attacker→@IDP]‖ →[Δt=10m] #1 →[Δt=5m] #4 ‖[auth][@IDP→@Customer]‖ →[Δt=30m] (#1 + #4) + [DRE: C]
Analysis
  • #9 Social Engineering: Vishing help desk.
  • #1 Abuse of Functions: MFA reset is legitimate help desk function used as designed.
  • #4 Identity Theft: Logging in as customer (Cross-domain).
  • (#1 + #4): OAuth token use (#4) + API abuse (#1) for exfiltration.

Why NOT #10: IDP attacked via social engineering, not supply chain compromise (code/hardware).

Example 9: IoT Botnet → DDoS (Mirai-Style)

Scenario

Scanned internet for IoT devices with default credentials. Logged into 50,000+ devices, installed bot malware. Later launched volumetric DDoS against DNS provider.

Attack Path
Phase 1:
#4 →[Δt=0s] #7 [× 50,000]
Phase 2 (Δt ≈ weeks):
#6 ‖[network][@Botnet→@DNSProvider]‖ + [DRE: A]

Note: [× 50,000] is informal shorthand — TLCTC ABNF does not define a multiplier operator. The same cluster MAY appear multiple times in a path.

Analysis
  • #4 Identity Theft: Default creds are still creds. Vulnerability is weak identity management.
  • #7 Malware: Bot installed (FEC).
  • #6 Flooding: Volumetric traffic exhausting resources (LoAv).

Why #4 for defaults: Mechanism is authentication with valid creds. Not #2 (no code flaw).

Example 10: Zero-Day Watering Hole

Scenario

Compromised news site injected JS exploit targeting Chrome V8 zero-day. Visitors executed shellcode installing persistent backdoor for months-long exfiltration.

Attack Path
#2 [role=server] →[Δt=days] #3 [role=browser] →[Δt=0s] #7 →[Δt=months] #1 + [DRE: C, I]
Analysis
  • #2 Exploiting Server: Website compromise (CMS/Server flaw).
  • #3 Exploiting Client: Browser processes malicious JS (Client flaw).
  • #7 Malware: Backdoor installation (FEC).
  • #1 Abuse of Functions: Exfiltration via OS functions (HTTPS, file ops).

Example 11: Insider Threat

Scenario

Disgruntled DBA used legitimate access to export 3.2M records to personal USB drive over weeks, then sold data.

Attack Path
#1 →[Δt=weeks] #8 + [DRE: C]
Analysis
  • #1 Abuse of Functions: Legitimate query/export used as designed. No exploit, no stolen creds.
  • #8 Physical Attack: Moving data to personal USB (physical exfiltration).

Why NOT #4: Insider uses own credentials. #4 requires impersonation.

Example 12: Firmware Implant (Hardware Supply Chain)

Scenario

Subcontractor inserted firmware implant into network switches during manufacturing. Implant activated after deployment, establishing covert channels.

Attack Path
#10.2 ‖[hw/mfg][@Subcontractor→@GovAgency]‖ →[Δt=months] #7 →[Δt=0s] #1 + [DRE: C, I]
Analysis
  • #10.2 Hardware Supply Chain: Manufacturing compromise. Trust enables delivery.
  • #7 Malware: Firmware implant is FEC.
  • #1 Abuse of Functions: Implant uses legitimate switch routing/mirroring for exfiltration.

Example 13: Credential Stuffing

Scenario

Attackers used breached credentials to attempt logins against streaming platform. 15,000 accounts accessed; emails changed for resale.

Attack Path
#4 →[Δt=0s] #1 + [DRE: C, I]
Analysis
  • #4 Identity Theft: Credential stuffing = use of creds at AuthN point. Vulnerability: password reuse.
  • #1 Abuse of Functions: Email change is legitimate function used as designed.

Why NOT #6: Mechanism is authentication, not resource exhaustion.

Example 14: OT/ICS Attack

Scenario

Spear-phishing entry, pivot to OT network via firewall abuse. Used legitimate HMI commands to open circuit breakers, causing regional outage.

Attack Path
#9 →[Δt=6h] #4 →[Δt=2d] #1 ‖[network][@IT→@OT]‖ →[Δt=4h] #1 + [DRE: I]
Analysis
  • #1 Abuse of Functions (pivot): Firewall allows traffic by design (misconfiguration).
  • #1 Abuse of Functions (HMI): Legitimate commands used as designed. System works correctly.
  • DRE: I: Unauthorized command changed grid state. Power outage is business consequence (Lane 3).

Example 15: API Key Leak

Scenario

Developer committed AWS key to public GitHub. Scanner detected in 4 mins. Attacker used key for crypto-mining and data access.

Attack Path
#4 →[Δt=0s] #1 + [DRE: C]
Analysis
  • #4 Identity Theft: Using leaked key is credential use.
  • #1 Abuse of Functions: Crypto mining (compute) and data access (RDS) via legitimate APIs.

Example 16: Ransomware-as-a-Service (BYOVD)

Scenario

Affiliate buys RDP creds, disables security via Vulnerable Driver (BYOVD), exfiltrates data, then deploys ransomware.

Attack Path
#4 →[Δt=30m] (#1 + #3) →[Δt=2h] #1 →[Δt=4h] #7 + [DRE: C, A]
Analysis
  • #4 Identity Theft: RDP access via purchased creds.
  • (#1 + #3) BYOVD: Load driver (#1 legitimate function) + Exploit local driver flaw (#3 Client Exploit).
  • #1 Abuse of Functions: Exfiltration via standard tools.

Example 17: SIM Swapping → Crypto Theft

Scenario

Vishing carrier support to swap SIM. Intercept SMS 2FA, reset exchange password, transfer Bitcoin.

Attack Path
#9 ‖[support][@Attacker→@Carrier]‖ →[Δt=5m] #1 →[Δt=0s] #4 →[Δt=10m] #4 →[Δt=5m] #1 + [DRE: C, I]
Analysis
  • #9 Social Engineering: Vishing carrier agent.
  • #1 Abuse of Functions: Carrier agent executes SIM swap (legitimate function).
  • #4 Identity Theft: Intercept 2FA (SIM-based identity).
  • #4 Identity Theft: Login to exchange (Password reset).
  • #1 Abuse of Functions: Bitcoin transfer (legitimate function).

Example 18: K8s Cluster Compromise

Scenario

Unauthenticated exposed dashboard. Attacker deploys miner container, escalates via RBAC, accesses DB secrets.

Attack Path
#1 →[Δt=5m] #7 →[Δt=20m] #1 →[Δt=5m] #4 + [DRE: C, I]
Analysis
  • #1 Abuse of Functions: Accessing exposed dashboard (no auth = no creds = #1).
  • #7 Malware: Miner container is FEC.
  • #1 Abuse of Functions: RBAC escalation (configuration abuse).
  • #4 Identity Theft: Access/use of DB secrets.

Example 19: Encrypted Messaging Zero-Click

Scenario

Zero-click exploit in message parser (memory corruption) delivers spyware. Spyware abuses OS APIs for surveillance.

Attack Path
#3 →[Δt=0s] #7 →[Δt=0s] #1 + [DRE: C]
Analysis
  • #3 Exploiting Client: Message parser flaw triggered by data (message).
  • #7 Malware: Spyware installed (FEC).
  • #1 Abuse of Functions: Exfiltration via legitimate OS APIs (GPS, Mic).

Why NOT #9: Zero-click = no user interaction/manipulation.

Example 20: L7 DDoS (Search Query)

Scenario

Crafted complex search queries triggered database joins to exhaust thread pools via a botnet (10k nodes). Site down for 6 hours.

Attack Path
#6 + [DRE: A]
Analysis
  • #6 Flooding: Resource exhaustion via volume. Individual requests valid.
  • DRE: A (LoAv): Service unavailability.

Why NOT #1: Mechanism is volume/exhaustion, not function abuse. Single request wouldn't cause harm.

Quick Reference: Decision Tree

  • Foreign code? → #7 (intended capability) or #2/#3 (code flaw).
  • Auth/Impersonation? → #4.
  • Volume/Exhaustion? → #6.
  • Trust Link Breach? → #10.
  • Psych Manipulation? → #9.
  • Physical Interaction? → #8.

Common Confusion Resolution

ConfusionResolution
Ransomware = LoAv?NO. LoAc (data inaccessible). LoAv only if system files encrypted.
Password spraying = #2?NO. #4 (credential use).
Default credentials = not #4?NO. Still credentials → #4.
Insider using own access = #4?NO. #1 (legitimate access, no impersonation).
ReDoS / algorithmic complexity = #6?NO. #2/#3 (implementation defect, not volume).