MITRE ATT&CK
Globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks, maintained by MITRE.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is the de-facto common language for describing attacker behavior. It’s not a list of vulnerabilities — it’s a structured taxonomy of what attackers actually do once they’re inside a network, derived from incident reports, threat intel, and red-team observation.
The three-level structure
Tactic — The adversary's goal at a stage └── Technique — A method to achieve that goal └── Sub-technique — A specific variantExample:
- Tactic: Defense Evasion (TA0005)
- Technique: Obfuscated Files or Information (T1027)
- Sub-technique: Compile After Delivery (T1027.004) — walked through in Accidental LOLBin: Controlling Media Keys with csc.exe.
- Technique: Obfuscated Files or Information (T1027)
The T-number is the canonical identifier you’ll see everywhere in threat reporting: blog posts, vendor advisories, Sigma rules, MISP feeds, internal incident reports. Learning to read T-codes fluently is foundational.
The 14 Enterprise tactics (the kill chain in ATT&CK terms)
In rough chronological order of an attack:
- Reconnaissance (TA0043)
- Resource Development (TA0042)
- Initial Access (TA0001)
- Execution (TA0002)
- Persistence (TA0003)
- Privilege Escalation (TA0004)
- Defense Evasion (TA0005)
- Credential Access (TA0006)
- Discovery (TA0007)
- Lateral Movement (TA0008)
- Collection (TA0009)
- Command and Control (TA0011)
- Exfiltration (TA0010)
- Impact (TA0040)
Real attacks rarely traverse these in clean order — they loop, branch, and sometimes skip stages. ATT&CK’s value isn’t predicting the path, it’s giving a vocabulary to describe any path.
How ATT&CK is used in practice
- Detection engineering: Map each detection rule to the techniques it catches. Quantify your coverage gaps.
- Threat intel: Describe APT campaigns by the techniques they use, enabling apples-to-apples comparison.
- Purple teaming: Plan red-team exercises around specific techniques to test blue-team detection.
- Sigma & detection-as-code: Most Sigma rules reference one or more ATT&CK techniques in their
tagsfield.
Common matrices
- Enterprise — Windows, macOS, Linux, cloud, network. The most-used matrix.
- Mobile — Android, iOS.
- ICS — Industrial Control Systems, SCADA, OT environments. Particularly relevant for Critical Infrastructure Protection.
Retrieval prompts
Test recall before peeking. Spaced repetition beats re-reading.
Distinguish tactic, technique, and sub-technique.
Tactic = the why (the adversary's goal at a stage of the attack — e.g., Defense Evasion). Technique = the how (a general method to achieve that goal — e.g., T1027 Obfuscated Files or Information). Sub-technique = a specific variant of a technique (e.g., T1027.004 Compile After Delivery).
Why does ATT&CK exist instead of just listing CVEs?
CVEs are vulnerabilities (specific bugs). ATT&CK describes behaviors that attackers actually exhibit — many of which work without any CVE (legitimate tools used illegitimately, social engineering, credential abuse). It models post-exploitation in a way CVE databases never can.
Name the three main ATT&CK matrices.
Enterprise, Mobile, and ICS (Industrial Control Systems).