Analysing ATT&CK Tactics and Techniques
Overview
This document provides best practices and resources for use when mapping ATT&CK tactics and techniques to threat detections, threat models, security risks or cyber threat intelligence.
Contains information on v18.1 (latest) version of Mitre ATT&CK
Available Resources
Resources folder contains LLM optimised and token-efficient content. Read whole file for broad context or grep or glob for specfic keywords or IDs. Use index files for quick reference keyword searches.
Tactics are abreviated: REC=Reconnaissance, RD=Resource Development, IA=Initial Access, EX=Execution, PE=Persistence, PRV=Privilege Escalation, DE=Defense Evasion, CA=Credential Access, DIS=Discovery, LM=Lateral Movement, COL=Collection, C2=Command and Control, EXF=Exfiltration, IMP=Impact
Searching Examples
By keyword (recommended for discovery): grep -i "cron|bash|/proc/|cryptocurrency" resources/attack_keywords.idx
By technique ID (for validation): grep "T1053" resources/attack_techniques.md
By tactic abbreviation (find all persistance techniques): grep "PE" resources/attack_techniques.md
Resource Files
ATT&CK Technique Keyword Index: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> resources/attack_keywords.idx
ATT&CK Technique List: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> resources/attack_techniques.md
ATT&CK Version Changelog: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> resources/attack_version_changelog.md
Best Practice
Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.
-
Do not assume your knowledge is 100% complete or up to date. Use the resources provided
-
Carefully read any supplied information, perform deep analysis line by line if needed
-
Search broadly for keywords, you may need to iterate multiple times to find every correct technique
-
Think about the specific procedure being performed and consider the attacker (or defender) intent before determining appropriate tactic, technique or sub-technique
-
Some techniques are part of multiple tactics (for ex. T1078 Valid Accounts) and may appear different for each tactic
-
Other techniques are similar but distinct depending on tactic (for ex. T1213.003 and T1593.003 are both Code Respositories)
-
Map to the most specific sub-technique when possible
When Analysing CTI Reports
-
IMPORTANT: Read the whole report fully, including tables of IOCs, appendixes or linked STIX files
-
Screenshots contain valuable intelligence, ensure they are processed
-
Break down the report into granular procedures when mapping to techniques
-
Think about attacker objectives. What did they take that action? What did they hope to achieve?
-
Avoid infering techniques that are not contained in the report
-
Once initial analysis is complete, perform a second analysis to valdiate your findings and idenitify any missed techniques
When Analysing Detections
-
Detection logic may detect multiple techniques, map all that are applicable
-
Analyse detection log sources and fields, these can help determine distinct tactics or techniques
-
Consider the intent (hypothesis) of the detection, what was the engineers objective?
Commonly Missed Techniques
Command-Line Indicators
-windowstyle hidden |-w hidden -> T1564.003 Hidden Window -encodedcommand |-enc |base64 -> T1027.010 Command Obfuscation -noprofile |-ep bypass -> T1059.001 PowerShell
Encoding
Encoded payload delivered -> T1027.013 Encrypted/Encoded File Decoded at runtime -> T1140 Deobfuscate/Decode
RDP-Related
RDP connection|.rdp file -> T1021.001 Remote Desktop Protocol Clipboard redirect -> T1115 Clipboard Data Drive mapping|attached drives -> T1039 Data from Network Shared Drive Auth redirect|intercept -> T1557 Adversary-in-the-Middle
Infrastructure
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services Typosquat|lookalike domain -> T1583.001 Domains Compromised server -> T1584.004 Server
Network
SSH tunnel|port forward -> T1572 Protocol Tunneling Downloaded|fetched payload -> T1105 Ingress Tool Transfer Over port 80/443 -> T1071.001 Web Protocols
Social Engineering
Masqueraded|posed as|impersonated -> T1656 Impersonation Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)
Technique Pairs
T1566 Spearphishing -> check T1204 User Execution T1027 Obfuscation -> check T1140 Deobfuscation T1053 Scheduled Task -> check T1059 Interpreter T1021.001 RDP -> check T1115, T1039, T1557 T1059.001 PowerShell -> check T1564.003 Hidden Window
Red Flag Phrases
"downloads and executes" -> T1105 + T1059 "persistence via task" -> T1053 + T1059 "C2 over HTTPS" -> T1071.001 + T1573.002 "compromised infrastructure" -> T1584.004 "redirects traffic" -> T1572 or T1090 "harvests credentials via fake page" -> T1598.003 (Recon tactic)