MITRE ATT&CK
A comprehensive, publicly accessible knowledge system that documents real-world attacker tactics, techniques, and procedures (TTPs). ATT&CK; (Adversarial Tactics, Techniques & Common Knowledge) is used by security teams worldwide as a common language for threat analysis, detection engineering, and purple teaming.
MITRE ATT&CK; is the lingua franca of modern threat analysis. What began as an internal knowledge repository at the MITRE Corporation is now the most comprehensive public database on attacker behavior—featuring 14 tactics, over 200 techniques, and thousands of documented examples from real APT groups.
Structure: Tactics → Techniques → Sub-Techniques
The hierarchy is: Tactic (Why?) → Technique (How?) → Sub-Technique (How exactly?)
Example:
- TA0006: Credential Access (Tactic)
- T1003: OS Credential Dumping (Technique)
- .001 - LSASS Memory (Sub-Technique)
- .002 - Security Account Manager (SAM)
- .003 - NTDS
- .006 - DCSync
- T1558: Steal or Forge Kerberos Tickets
- .001 - Golden Ticket
- .002 - Silver Ticket
- .003 - Kerberoasting
- .004 - AS-REP Roasting
- T1003: OS Credential Dumping (Technique)
The 14 ATT&CK Tactics; (Enterprise Matrix)
| ID | Tactic | Description | Example Techniques |
|---|---|---|---|
| TA0001 | Initial Access | How does the attacker gain access to the network? | T1566 Phishing, T1190 Exploit Public-Facing App |
| TA0002 | Execution | How does the attacker execute code? | T1059 Command and Scripting Interpreter (PowerShell, Bash) |
| TA0003 | Persistence | How do they ensure they remain? | T1547 Boot/Logon Autostart, T1053 Scheduled Task |
| TA0004 | Privilege Escalation | How do they elevate their privileges? | T1055 Process Injection, T1068 Exploit Vulnerability |
| TA0005 | Defense Evasion | How does it bypass security tools? | T1562 Impair Defenses, T1027 Obfuscated Files |
| TA0006 | Credential Access | How does it steal credentials? | T1003 OS Credential Dumping, T1558 Kerberos Tickets |
| TA0007 | Discovery | What does it find on the network? | T1018 Remote System Discovery, T1082 System Information |
| TA0008 | Lateral Movement | How does it spread? | T1021 Remote Services, T1075 Pass the Hash |
| TA0009 | Collection | What does it collect? | T1560 Archive Data, T1074 Data Staged |
| TA0010 | Exfiltration | How does it exfiltrate data? | T1048 Exfiltration Over Alternative Protocol |
| TA0011 | Command and Control | How does it control malware? | T1071 Application Layer Protocol, T1572 Protocol Tunneling |
| TA0040 | Impact | What is the final damage? | T1486 Data Encrypted for Impact (Ransomware!), T1485 Data Destruction |
| TA0042 | Resource Development | Building resources | - |
| TA0043 | Reconnaissance | Reconnaissance | T1595 Active Scanning |
ATT&CK; in Practice
SIEM Rules Based on ATT&CK;
An IoC-based SIEM rule (ALERT if source_ip == "185.234.xx.xx") is useless as soon as the attacker uses a new IP. TTP-based rules, on the other hand, detect the behavior—regardless of the IP.
T1059.001 - PowerShell Encoded Commands:
ALERT if:
Process == "powershell.exe"
AND CommandLine matches "-enc|-EncodedCommand|-e [A-Za-z0-9+/=]{50,}"T1003.001 - LSASS Memory Dump:
ALERT if:
Process NOT IN whitelist
AND TargetProcess == "lsass.exe"
AND AccessRights includes "PROCESS_VM_READ"T1486 - Ransomware Activity:
ALERT if:
10+ different file extensions changed in 60 seconds
AND new file extension unknownATT&CK for Threat Intelligence
Step 1 - Read the Threat Report (e.g., Mandiant APT41 Report)
> “APT41 uses spear-phishing with .lnk attachments (T1566.001) and performs DLL injection via certutil.exe (T1218.003)”
Step 2 - Mark techniques in the ATT&CK; Matrix
In the ATT&CK; Navigator, mark T1566.001 and T1218.003 and visualize which controls protect against them.
Step 3 - Identify detection gaps
Do we have a SIEM rule for T1218.003 (certutil misuse)? If not, create a rule:
ALERT if certutil.exe is called with -urlcache or -decodeStep 4 - Measure coverage
The Navigator displays coverage using colors:
- Green: Detection present and tested
- Red: No detection
ATT&CK; Navigator
The Navigator (https://mitre-attack.github.io/attack-navigator/) is an interactive visualization tool for ATT&CK; that can also be hosted locally.
Create layers:
- Blue Layer: What do we detect? (SIEM rules)
- Red Layer: What has been tested? (Penetration test)
- Threat Layer: What does APT28 use?
Use Cases:
- Coverage Gap Analysis: “Red = no detection – Prioritization: Which red fields should be closed first?”
- Create Threat Profiles: “APT28 Layer” – What techniques does this group use? Focus detection on these techniques.
- Define Penetration Test Scope: “Test these 20 techniques – we want to measure coverage”
- Reporting: “We have X% ATT&CK coverage” – understandable for management
ATT&CK-based Threat Hunting
Hypothesis: “APT28 could attack our company (we are in the defense industry). Check whether T1558.003 (Kerberoasting) has occurred in our AD.”
Hunting query (Splunk/Sentinel):
# Event ID 4769: Kerberos ticket request
# RC4 encryption (0x17) is suspicious (weaker, susceptible to cracking)
index=wineventlog EventCode=4769
Ticket_Encryption_Type=0x17
Service_Name!=krbtgt
Service_Name!="*$"
| stats count by Account_Name, Service_Name, Client_Address
| where count > 10Check for hits:
- Account: regular user or service account?
- Service: known SPN or unknown?
- IP: internal, known?
- Timeline: when did this happen? What happened before/after?
ATT&CK; for various platforms
MITRE ATT&CK; includes several matrices for different environments:
| Matrix | Platforms | Features |
|---|---|---|
| Enterprise | Windows, macOS, Linux | Main matrix, most comprehensive |
| Mobile | iOS, Android | T1516 Input Injection, T1412 Capture SMS Messages |
| ICS | OT/SCADA | T0886 Remote Services, T0817 Drive-by Compromise |
| Cloud | AWS, Azure, GCP, SaaS | T1552.005 Cloud Instance Metadata API |
| PRE-ATT&CK; | Reconnaissance & Resource Development | T1595 Active Scanning, T1589 Gather Victim Identity Information |
