CIS_v8CIS Control 18voice-validated
CIS_v8 18: CIS Control 18
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Penetration testers frequently exploit public-facing applications to gain initial access, directly simulating this technique. CIS Control 18 mandates identifying and exploiting weaknesses. | 90% |
| T1566 | 1. Social engineering, including phishing, is a common initial access vector simulated in penetration tests to assess human and technical controls. CIS Control 18 includes testing people and processes. | 80% |
| T1059 | 1. Command and scripting interpreters are routinely used by penetration testers to execute commands on compromised systems, directly mimicking attacker actions as per CIS Control 18. | 90% |
| T1068 | 1. Exploiting vulnerabilities for privilege escalation is a primary objective of penetration testing, aiming to gain higher access levels within a system. CIS Control 18 focuses on exploiting weaknesses. | 90% |
| T1547 | 1. Penetration testers often establish persistence mechanisms, such as modifying boot or logon autostart execution, to maintain access during simulated attacks. CIS Control 18 simulates attacker objectives. | 80% |
| T1027 | 1. Obfuscation techniques are employed by penetration testers to evade detection by security controls, testing the effectiveness of defensive measures. CIS Control 18 assesses control resiliency. | 70% |
| T1003 | 1. OS credential dumping is a critical step in many penetration tests to acquire credentials for lateral movement and further access. CIS Control 18 simulates attacker actions. | 90% |
| T1046 | 1. Network service scanning is a fundamental discovery technique used by penetration testers to map out network infrastructure and identify potential targets. CIS Control 18 identifies weaknesses. | 80% |
| T1087 | 1. Account discovery is performed by penetration testers to identify valid user accounts, which can then be targeted for credential compromise or impersonation. CIS Control 18 simulates attacker objectives. | 80% |
| T1021 | 1. Penetration testers utilize remote services to move laterally within a network, accessing other systems from a compromised host. CIS Control 18 simulates attacker actions. | 90% |
| T1005 | 1. Collecting data from local systems is a common objective for penetration testers, simulating data exfiltration or reconnaissance. CIS Control 18 assesses the impact of exploitation. | 80% |
| T1071 | 1. Penetration testers establish command and control channels using various application layer protocols to maintain communication with compromised systems. CIS Control 18 simulates attacker actions. | 70% |
| T1041 | 1. Exfiltration over C2 channels is simulated by penetration testers to demonstrate the potential for data theft from compromised environments. CIS Control 18 assesses the resiliency of assets. | 80% |
| T1486 | 1. Simulating data encryption for impact, such as ransomware, is part of comprehensive penetration testing to assess an organization's response and recovery capabilities. CIS Control 18 tests resiliency. | 70% |
| T1078 | 1. Penetration testers frequently use valid accounts, obtained through various means, to bypass security controls and move within the network. CIS Control 18 simulates attacker actions and objectives. | 90% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Penetration testing assesses the effectiveness of network segmentation in containing breaches and limiting lateral movement, validating its defensive logic. | 80% |
| M1035 | 1. Penetration tests attempt to bypass access controls to network resources, thereby validating the strength and proper configuration of access limitations. | 80% |
| M1040 | 1. Penetration testing evaluates endpoint security solutions' ability to detect and prevent malicious behavior, directly testing behavior prevention mechanisms. | 70% |
| M1047 | 1. Penetration testing helps verify that security logging and auditing mechanisms capture attacker activities, ensuring proper audit trail generation for incident response. | 80% |
| M1051 | 1. Penetration testing frequently exploits vulnerabilities in unpatched software, highlighting the critical need for timely software updates as a defensive measure. | 90% |
| M1056 | 1. Penetration testing identifies and attempts to exploit unnecessary or misconfigured services, validating the effectiveness of preventing access to such services. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-78 | 1. Penetration testing actively seeks and exploits OS command injection vulnerabilities to gain system access, directly addressing this common weakness. | 90% |
| CWE-79 | 1. Penetration tests frequently target Cross-site Scripting (XSS) vulnerabilities to demonstrate client-side attacks and data theft, validating controls against this weakness. | 80% |
| CWE-89 | 1. Penetration testing commonly identifies and exploits SQL injection flaws to access or manipulate database content, directly assessing this critical weakness. | 90% |
| CWE-200 | 1. Penetration tests aim to discover and exfiltrate sensitive data that is improperly exposed, directly addressing the weakness of sensitive information exposure. | 80% |
| CWE-287 | 1. Penetration testing attempts to bypass or compromise authentication mechanisms to gain unauthorized access, directly targeting improper authentication weaknesses. | 80% |
| CWE-269 | 1. Penetration tests focus on exploiting flaws in privilege management to achieve higher access levels, directly addressing improper privilege management. | 80% |
| CWE-502 | 1. Penetration testing often includes attempts to exploit deserialization vulnerabilities for remote code execution, directly assessing this complex weakness. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0180 compute · voice-rubric self-validated