MITRE ATT&CK#

Reference of the MITRE ATT&CK matrices: tactics, key techniques, and related frameworks the operator uses to map adversary behavior. ATT&CK is the standard taxonomy for TTPs across CTI, detection engineering, red teaming, and purple teaming.

For threat actors mapped to these techniques, see Hacker Groups. For OT-specific coverage, see ICS / SCADA / OT and ATT&CK for ICS. For the wider CTI data plane, see CTI Sources.

Matrices#

Matrix

Notes

Enterprise

Windows / macOS / Linux / Cloud (AWS, Azure, GCP, Office 365, SaaS, IaaS, Google Workspace) / Network / Containers.

Mobile

Android + iOS.

ICS

Industrial control systems / OT.

PRE

Pre-attack / reconnaissance + resource development (folded into Enterprise as TA0042 / TA0043 since v8).

Cloud

Subset of Enterprise; AWS / Azure / GCP / Office 365 / SaaS / IaaS / Google Workspace.

Enterprise tactics (TA####)#

Tactic ID + name

Goal

TA0043 Recon

Gather info to plan operations.

TA0042 Resource Dev

Establish infrastructure / capabilities.

TA0001 Initial Access

Get a foothold.

TA0002 Execution

Run adversary-controlled code.

TA0003 Persistence

Maintain foothold across reboots / cred changes.

TA0004 Privilege Esc

Gain higher-level permissions.

TA0005 Defense Evasion

Avoid being detected.

TA0006 Cred Access

Steal credentials.

TA0007 Discovery

Learn the environment.

TA0008 Lateral Movemt

Move through the network.

TA0009 Collection

Gather data of interest.

TA0011 Command & Ctrl

Communicate with compromised systems.

TA0010 Exfiltration

Steal data.

TA0040 Impact

Manipulate, disrupt, destroy.

Notable techniques (Enterprise)#

Technique ID

Name

Notes

T1566

Phishing

Spearphishing attachment / link / via service.

T1078

Valid Accounts

Default / domain / local / cloud accounts.

T1190

Exploit Public-Facing App

n/a

T1133

External Remote Services

VPN / RDP / Citrix / SSH.

T1059

Cmd and Script Interpreter

PowerShell, cmd, Bash, Python, JavaScript, etc.

T1106

Native API

n/a

T1053

Scheduled Task/Job

cron, systemd, schtasks, at.

T1547

Boot/Logon Autostart Exec

Run keys, services, login items.

T1543

Create/Modify System Process

Service / launchd / systemd.

T1136

Create Account

Domain / local / cloud.

T1098

Account Manipulation

n/a

T1574

Hijack Execution Flow

DLL hijacking, dylib injection, search order.

T1055

Process Injection

DLL, reflective, hollowing, doppelgänging.

T1027

Obfuscated Files / Info

packing, encoded scripts, steganography.

T1070

Indicator Removal

clear logs, timestomp, file deletion.

T1564

Hide Artifacts

hidden files, NTFS streams, etc.

T1218

Signed Binary Proxy Execution

LOLBins (rundll32, mshta, regsvr32, msbuild…).

T1110

Brute Force

password spray, credential stuffing.

T1003

OS Credential Dumping

LSASS dump, /etc/shadow, NTDS.dit, DCSync.

T1555

Creds from Password Stores

browsers, KeePass, etc.

T1212

Exploitation for Cred Access

n/a

T1056

Input Capture

keylogger, screenshots.

T1018

Remote System Discovery

n/a

T1083

File / Directory Discovery

n/a

T1057

Process Discovery

ps, tasklist.

T1082

System Information Discovery

n/a

T1016

System Network Config Discovery

ipconfig / ifconfig.

T1135

Network Share Discovery

n/a

T1069

Permission Groups Discovery

net group, dscl, etc.

T1021

Remote Services

SSH, RDP, SMB, WinRM, VNC.

T1080

Taint Shared Content

n/a

T1567

Exfil Over Web Service

cloud storage, code repos.

T1041

Exfil Over C2

n/a

T1071

Application Layer Protocol

HTTP/S, DNS, mail, custom.

T1090

Proxy

internal / external / multi-hop / domain fronting.

T1572

Protocol Tunneling

SSH, DNS, ICMP.

T1568

Dynamic Resolution

DGA, DNS calculation, fast flux.

T1486

Data Encrypted for Impact

ransomware.

T1490

Inhibit System Recovery

delete shadow copies, vssadmin.

T1485

Data Destruction

wiper.

T1561

Disk Wipe

n/a

T1499 / T1498

Endpoint / Network DoS

n/a

T1496

Resource Hijacking

cryptominers.

T1531

Account Access Removal

ransomware lockouts.

T1657

Financial Theft

fraud.

ATT&CK for ICS tactics#

Tactic ID + name

Goal

TA0108 Initial Access

Engineering workstation, supplier, removable media, etc.

TA0104 Execution

User exec, native API, scripting, command-line.

TA0110 Persistence

Project file infection, hooking, modify program.

TA0111 Privilege Esc

Bypass authentication, exploit firmware.

TA0103 Evasion

Spoof reporting, masquerade, rootkit.

TA0102 Discovery

Network sniff, scan, asset enumeration.

TA0109 Lateral Movemt

Default creds, remote services, valid accounts.

TA0100 Collection

Auto collection, screen capture, monitor process state.

TA0101 Command & Ctrl

Standard application, custom protocol.

TA0105 Inhibit Resp

Block alarm, disable safety system, prevent control reset.

TA0106 Impair Process

Modify alarm settings, modify control logic, spoof reporting.

TA0107 Impact

Damage to property, denial of control, manipulation of view.

ATT&CK for Mobile tactics#

  • TA0027 Initial Access, TA0041 Execution, TA0028 Persistence, TA0029 Privilege Escalation, TA0030 Defense Evasion, TA0031 Credential Access, TA0032 Discovery, TA0033 Lateral Movement, TA0035 Collection, TA0037 Command and Control, TA0036 Exfiltration, TA0034 Impact, TA0038 Network Effects, TA0039 Remote Service Effects.

Pyramid of Pain#

David Bianco’s hierarchy of indicators by attacker pain to change. From bottom (trivial to change) to top (very painful):

  • Hash values, one byte changes; trivial.

  • IP addresses, swap exit node / VPS; easy.

  • Domain names, register new; minor.

  • Network / host artifacts, requires re-tooling; annoying.

  • Tools, requires recompile or new tool; challenging.

  • TTPs, requires re-training the actor; tough.

ATT&CK techniques sit at the top of the pyramid.

Tooling#

Tool

Notes

ATT&CK Navigator

Layered web UI for highlighting / comparing techniques.

DeTT&CT

Detection coverage scoring (data-source-aware).

ATT&CK Workbench

Local / private knowledge bases.

CALDERA

Adversary emulation platform.

Atomic Red Team

Red Canary; per-technique tests.

Vectr

Purple-team tracking platform.

Threat Emulation Plat

. Various commercial (AttackIQ, SafeBreach, XM Cyber, Picus, Cymulate).

Sigma

Generic detection rule format with ATT&CK tags.

Splunk SOAR / Cortex

SIEM/SOAR platforms with ATT&CK mappings.

SCYTHE

Adversary-behavior emulation.

Operator notes#

  • Sub-techniques (introduced 2020), e.g. T1566.001 vs T1566.002. Always cite the most specific sub-technique available; many tools still reference parent IDs.

  • Procedure examples in each ATT&CK page link to public attribution + tooling, the real value when mapping a campaign.

  • Cloud + SaaS are first-class platforms now; T1078.004 (cloud accounts) and T1098.005 (device registration) are hot.

  • Detection coverage, count techniques covered by each detection rule, not the reverse; coverage is uneven.

  • Threat-informed defense, focus first on techniques used by actors targeting your sector (use ATT&CK + ATT&CK Workbench + groups page).

  • Naming caveats, the same actor gets different vendor names; ATT&CK consolidates under one Group ID (G####).

References#