MITRE ATT&CK#
Reference of the MITRE ATT&CK matrices: tactics, key techniques, and related frameworks the operator uses to map adversary behavior. ATT&CK is the standard taxonomy for TTPs across CTI, detection engineering, red teaming, and purple teaming.
For threat actors mapped to these techniques, see Hacker Groups. For OT-specific coverage, see ICS / SCADA / OT and ATT&CK for ICS. For the wider CTI data plane, see CTI Sources.
Matrices#
Matrix |
Notes |
|---|---|
Enterprise |
Windows / macOS / Linux / Cloud (AWS, Azure, GCP, Office 365, SaaS, IaaS, Google Workspace) / Network / Containers. |
Mobile |
Android + iOS. |
ICS |
Industrial control systems / OT. |
PRE |
Pre-attack / reconnaissance + resource development (folded into Enterprise as TA0042 / TA0043 since v8). |
Cloud |
Subset of Enterprise; AWS / Azure / GCP / Office 365 / SaaS / IaaS / Google Workspace. |
Enterprise tactics (TA####)#
Tactic ID + name |
Goal |
|---|---|
TA0043 Recon |
Gather info to plan operations. |
TA0042 Resource Dev |
Establish infrastructure / capabilities. |
TA0001 Initial Access |
Get a foothold. |
TA0002 Execution |
Run adversary-controlled code. |
TA0003 Persistence |
Maintain foothold across reboots / cred changes. |
TA0004 Privilege Esc |
Gain higher-level permissions. |
TA0005 Defense Evasion |
Avoid being detected. |
TA0006 Cred Access |
Steal credentials. |
TA0007 Discovery |
Learn the environment. |
TA0008 Lateral Movemt |
Move through the network. |
TA0009 Collection |
Gather data of interest. |
TA0011 Command & Ctrl |
Communicate with compromised systems. |
TA0010 Exfiltration |
Steal data. |
TA0040 Impact |
Manipulate, disrupt, destroy. |
Notable techniques (Enterprise)#
Technique ID |
Name |
Notes |
|---|---|---|
T1566 |
Phishing |
Spearphishing attachment / link / via service. |
T1078 |
Valid Accounts |
Default / domain / local / cloud accounts. |
T1190 |
Exploit Public-Facing App |
n/a |
T1133 |
External Remote Services |
VPN / RDP / Citrix / SSH. |
T1059 |
Cmd and Script Interpreter |
PowerShell, cmd, Bash, Python, JavaScript, etc. |
T1106 |
Native API |
n/a |
T1053 |
Scheduled Task/Job |
cron, systemd, schtasks, at. |
T1547 |
Boot/Logon Autostart Exec |
Run keys, services, login items. |
T1543 |
Create/Modify System Process |
Service / launchd / systemd. |
T1136 |
Create Account |
Domain / local / cloud. |
T1098 |
Account Manipulation |
n/a |
T1574 |
Hijack Execution Flow |
DLL hijacking, dylib injection, search order. |
T1055 |
Process Injection |
DLL, reflective, hollowing, doppelgänging. |
T1027 |
Obfuscated Files / Info |
packing, encoded scripts, steganography. |
T1070 |
Indicator Removal |
clear logs, timestomp, file deletion. |
T1564 |
Hide Artifacts |
hidden files, NTFS streams, etc. |
T1218 |
Signed Binary Proxy Execution |
LOLBins (rundll32, mshta, regsvr32, msbuild…). |
T1110 |
Brute Force |
password spray, credential stuffing. |
T1003 |
OS Credential Dumping |
LSASS dump, /etc/shadow, NTDS.dit, DCSync. |
T1555 |
Creds from Password Stores |
browsers, KeePass, etc. |
T1212 |
Exploitation for Cred Access |
n/a |
T1056 |
Input Capture |
keylogger, screenshots. |
T1018 |
Remote System Discovery |
n/a |
T1083 |
File / Directory Discovery |
n/a |
T1057 |
Process Discovery |
ps, tasklist. |
T1082 |
System Information Discovery |
n/a |
T1016 |
System Network Config Discovery |
ipconfig / ifconfig. |
T1135 |
Network Share Discovery |
n/a |
T1069 |
Permission Groups Discovery |
net group, dscl, etc. |
T1021 |
Remote Services |
SSH, RDP, SMB, WinRM, VNC. |
T1080 |
Taint Shared Content |
n/a |
T1567 |
Exfil Over Web Service |
cloud storage, code repos. |
T1041 |
Exfil Over C2 |
n/a |
T1071 |
Application Layer Protocol |
HTTP/S, DNS, mail, custom. |
T1090 |
Proxy |
internal / external / multi-hop / domain fronting. |
T1572 |
Protocol Tunneling |
SSH, DNS, ICMP. |
T1568 |
Dynamic Resolution |
DGA, DNS calculation, fast flux. |
T1486 |
Data Encrypted for Impact |
ransomware. |
T1490 |
Inhibit System Recovery |
delete shadow copies, vssadmin. |
T1485 |
Data Destruction |
wiper. |
T1561 |
Disk Wipe |
n/a |
T1499 / T1498 |
Endpoint / Network DoS |
n/a |
T1496 |
Resource Hijacking |
cryptominers. |
T1531 |
Account Access Removal |
ransomware lockouts. |
T1657 |
Financial Theft |
fraud. |
ATT&CK for ICS tactics#
Tactic ID + name |
Goal |
|---|---|
TA0108 Initial Access |
Engineering workstation, supplier, removable media, etc. |
TA0104 Execution |
User exec, native API, scripting, command-line. |
TA0110 Persistence |
Project file infection, hooking, modify program. |
TA0111 Privilege Esc |
Bypass authentication, exploit firmware. |
TA0103 Evasion |
Spoof reporting, masquerade, rootkit. |
TA0102 Discovery |
Network sniff, scan, asset enumeration. |
TA0109 Lateral Movemt |
Default creds, remote services, valid accounts. |
TA0100 Collection |
Auto collection, screen capture, monitor process state. |
TA0101 Command & Ctrl |
Standard application, custom protocol. |
TA0105 Inhibit Resp |
Block alarm, disable safety system, prevent control reset. |
TA0106 Impair Process |
Modify alarm settings, modify control logic, spoof reporting. |
TA0107 Impact |
Damage to property, denial of control, manipulation of view. |
ATT&CK for Mobile tactics#
TA0027 Initial Access, TA0041 Execution, TA0028 Persistence, TA0029 Privilege Escalation, TA0030 Defense Evasion, TA0031 Credential Access, TA0032 Discovery, TA0033 Lateral Movement, TA0035 Collection, TA0037 Command and Control, TA0036 Exfiltration, TA0034 Impact, TA0038 Network Effects, TA0039 Remote Service Effects.
Pyramid of Pain#
David Bianco’s hierarchy of indicators by attacker pain to change. From bottom (trivial to change) to top (very painful):
Hash values, one byte changes; trivial.
IP addresses, swap exit node / VPS; easy.
Domain names, register new; minor.
Network / host artifacts, requires re-tooling; annoying.
Tools, requires recompile or new tool; challenging.
TTPs, requires re-training the actor; tough.
ATT&CK techniques sit at the top of the pyramid.
Tooling#
Tool |
Notes |
|---|---|
ATT&CK Navigator |
Layered web UI for highlighting / comparing techniques. |
DeTT&CT |
Detection coverage scoring (data-source-aware). |
ATT&CK Workbench |
Local / private knowledge bases. |
CALDERA |
Adversary emulation platform. |
Atomic Red Team |
Red Canary; per-technique tests. |
Vectr |
Purple-team tracking platform. |
Threat Emulation Plat |
. Various commercial (AttackIQ, SafeBreach, XM Cyber, Picus, Cymulate). |
Sigma |
Generic detection rule format with ATT&CK tags. |
Splunk SOAR / Cortex |
SIEM/SOAR platforms with ATT&CK mappings. |
SCYTHE |
Adversary-behavior emulation. |
Operator notes#
Sub-techniques (introduced 2020), e.g. T1566.001 vs T1566.002. Always cite the most specific sub-technique available; many tools still reference parent IDs.
Procedure examples in each ATT&CK page link to public attribution + tooling, the real value when mapping a campaign.
Cloud + SaaS are first-class platforms now; T1078.004 (cloud accounts) and T1098.005 (device registration) are hot.
Detection coverage, count techniques covered by each detection rule, not the reverse; coverage is uneven.
Threat-informed defense, focus first on techniques used by actors targeting your sector (use ATT&CK + ATT&CK Workbench + groups page).
Naming caveats, the same actor gets different vendor names; ATT&CK consolidates under one Group ID (G####).