MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It's the universal language for describing cyber threats.
Key Concepts
- Tactics: The adversary's goal (WHY)
- Techniques: How they achieve the goal (HOW)
- Sub-techniques: Specific variations
- Procedures: Real-world implementations
Tactics Overview
| Reconnaissance | Gathering information |
| Initial Access | Getting in (phishing, exploits) |
| Execution | Running code |
| Persistence | Maintaining access |
| Privilege Escalation | Getting higher permissions |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing passwords |
| Lateral Movement | Moving through network |
| Collection | Gathering target data |
| Exfiltration | Stealing data |
| Command & Control | Communicating with malware |
Mapping to Detections
# T1059.001 - PowerShell
# Detection: Encoded commands
index=windows EventCode=4104
| regex ScriptBlockText="(?i)encodedcommand|frombase64"
| eval technique="T1059.001"
# T1053.005 - Scheduled Task
# Detection: Task creation
index=windows EventCode=4698
| eval technique="T1053.005"Using ATT&CK
- Map your detections to techniques
- Identify coverage gaps
- Prioritize based on threat intel
- Use ATT&CK Navigator for visualization
December 2024