MITRE ATT&CK

Executive Summary

MITRE ATT&CK is a globally adopted knowledge base that documents real-world adversary behavior. It models cyber attacks using two core concepts: Tactics, which describe attacker goals, and Techniques, which describe how those goals are achieved.

Security teams use ATT&CK for threat modeling, detection engineering, incident response, and adversary emulation.

14 Tactics

• Reconnaissance: Collecting information prior to an attack.
• Resource Development: Preparing infrastructure, malware, and accounts.
• Initial Access: Gaining an initial foothold.
• Execution: Running malicious code or commands.
• Persistence: Maintaining long-term access.
• Privilege Escalation: Gaining higher-level permissions.
• Defense Evasion: Avoiding detection and security controls.
• Credential Access: Stealing passwords, hashes, or tokens.
• Discovery: Exploring the internal environment.
• Lateral Movement: Moving between systems.
• Collection: Gathering target data.
• Command and Control: Communicating with attacker infrastructure.
• Exfiltration: Transferring data out of the environment.
• Impact: Disrupting, encrypting, or destroying systems and data.

Common Techniques

• T1566 – Phishing: Social engineering to deliver malicious content.
• T1190 – Exploit Public-Facing Application: Leveraging exposed services.
• T1059 – Command and Scripting Interpreter: PowerShell, Bash, CMD execution.
• T1547 – Boot or Logon Autostart Execution: Registry, startup scripts.
• T1053 – Scheduled Task / Cron: Persistence via task scheduling.
• T1003 – Credential Dumping: Extracting credentials from memory (LSASS).
• T1087 – Account Discovery: Enumerating users and groups.
• T1021 – Remote Services: Lateral movement via SMB, RDP, SSH.
• T1041 – Exfiltration Over C2 Channel: Data theft via C2 traffic.
• T1486 – Data Encrypted for Impact: Ransomware activity.