MITRE ATT&CK Notes

MITRE ATT&CK: Tactics & Techniques

Executive Summary

MITRE ATT&CK is a structured, globally used framework describing how attackers actually behave. Tactics represent goals, and Techniques represent how those goals are achieved.

14 Tactics

  • Reconnaissance: Collecting info before the attack.
  • Resource Development: Preparing malware, domains, accounts.
  • Initial Access: First entry point.
  • Execution: Running commands/code.
  • Persistence: Staying in the system long-term.
  • Privilege Escalation: Becoming admin/root.
  • Defense Evasion: Avoiding detection.
  • Credential Access: Stealing passwords/hashes/tokens.
  • Discovery: Exploring internal environment.
  • Lateral Movement: Moving between systems.
  • Collection: Gathering important data.
  • Command and Control: Communicating with attacker infra.
  • Exfiltration: Sending data out.
  • Impact: Causing damage (ransomware, DoS).

Common Techniques

Stage Technique Description
Initial AccessT1566Phishing
Initial AccessT1190Exploit public-facing application
Initial AccessT1133VPN/RDP login with stolen credentials
ExecutionT1059Command/script execution (PowerShell, Bash, CMD)
PersistenceT1547Boot or logon autostart execution
PersistenceT1053Scheduled task / cron
Privilege EscalationT1068Local privilege escalation exploit
Privilege EscalationT1548UAC/sudo bypass
Defense EvasionT1027Obfuscated or encoded scripts
Defense EvasionT1562Disable security tools (AV/EDR)
Credential AccessT1003Credential dumping (LSASS)
Credential AccessT1110Password spraying / brute force
Credential AccessT1555Credentials stored in config files
DiscoveryT1087Enumerate domain users/groups
DiscoveryT1018Scan internal hosts
Lateral MovementT1021SMB/RDP/SSH movement
ExfiltrationT1041Exfiltration over C2 channel
ExfiltrationT1048Exfiltration using DNS/ICMP tunneling
ImpactT1486Data encrypted for impact (ransomware)
ImpactT1499Endpoint denial-of-service