MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
MITRE ATT&CK is a globally accessible, free knowledge base of cyberattacker behaviors. Developed by the MITRE Corporation, it acts as a standardized dictionary that cybersecurity professionals use to model how adversaries operate, identify security gaps, and build robust defenses.
Matrices
In MITRE ATT&CK, a Matrix is a structured view of attacker behavior organized by tactics and techniques.
The matrix is arranged:
- The column = tactic (attacker goal)
- The row item = technique (method used)
MITRE has multiple matrices because attackers behave differently across environments:
1. Enterprise Matrix
The most common one.
Covers attacks against:
- Windows
- Linux
- macOS
- Active Directory
- cloud
- containers
- enterprise networks
2. Mobile Matrix
For Android and iOS attacks.
3. ICS Matrix
ICS = Industrial Control Systems
Focuses on attacks against industrial environments.
Important Terms
Tactic
The attacker’s objective/goal. A Tactic represents the attacker’s objective at a specific stage of an attack.
| # | Tactic | Purpose | What the Attacker Is Trying To Do |
|---|---|---|---|
| 1 | Reconnaissance | Gather information | Learn about the target before attacking |
| 2 | Resource Development | Prepare attack infrastructure | Build resources needed for the attack |
| 3 | Initial Access | Enter the target environment | Gain first access into the victim system/network |
| 4 | Execution | Run malicious code | Execute malware or attacker commands |
| 5 | Persistence | Maintain access | Stay inside the system after reboot/logout |
| 6 | Privilege Escalation | Gain higher privileges | Become admin/SYSTEM/root |
| 7 | Defense Evasion | Avoid detection | Bypass or disable security tools |
| 8 | Credential Access | Steal credentials | Obtain usernames, passwords, hashes, tokens |
| 9 | Discovery | Learn the environment | Enumerate systems, users, services, shares |
| 10 | Lateral Movement | Move to other systems | Spread through the network |
| 11 | Collection | Gather target data | Collect files or sensitive information |
| 12 | Command and Control (C2) | Communicate with attacker | Maintain remote communication channel |
| 13 | Exfiltration | Steal data out | Transfer stolen data outside the network |
| 14 | Impact | Damage or disrupt systems | Destroy, encrypt, manipulate, or interrupt |
Technique
How the attacker achieves the tactic. A Technique is the specific method or action an attacker uses to achieve a tactic.
If the tactic answers:
" What is the attacker trying to achieve? "
then the technique answers:
" How is the attacker doing it? "
Each tactic contains multiple techniques identified by IDs like:
T1053
T= Technique- 1053 = unique ATT&CK identifier
Technique Example:
Tactic = Persistence. Goal: Stay on the system after reboot. Technique:
T1053 Scheduled Task/Job
Method: Create a scheduled task that automatically runs malware.
Sub-technique
A Sub-technique is a more specific version of a technique.
Sub-techniques use this format:
T1059.001
T1059Parent technique.001Specific sub-technique
PowerShell Example
Technique:
T1059 - Command and Scripting Interpreter
This is broad and includes:
- PowerShell
- CMD
- Bash
- Python
- AppleScript.
Sub-technique:
T1059.001
Name:
PowerShell