Adversarial Tactics, Techniques & Common Knowledge

Revision as of 20:09, 5 April 2017 by AttackAdmin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

April 2017: What's New

The April 2017 update contains several new techniques, new reports and content changes: See Past Updates for previous changes.


ATT&CK Tactic Categories

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the post-compromise (post-exploit and successful access) tactics, techniques, and procedures (TTPs) advanced persistent threats (APT) use to execute their objectives while operating inside a network.

ATT&CK incorporates information on cyber adversaries gathered through MITRE research, as well as from other disciplines such as penetration testing and red teaming to establish a collection of knowledge characterizing the post-compromise activities of adversaries. While there is significant research on initial exploitation and use of perimeter defenses, there is a gap in central knowledge of adversary process after initial access has been gained. ATT&CK focuses on TTPs adversaries use to make decisions, expand access, and execute their objectives. It aims to describe an adversary's steps at a high enough level to be applied widely across platforms, but still maintain enough details to be technically useful.

The ten tactic categories for ATT&CK were derived from the later stages (control, maintain, and execute) of a seven-stage Cyber Attack Lifecycle[1] (first articulated by Lockheed Martin as the Cyber Kill Chain®[2]). This provides a deeper level of granularity in describing what can occur during an intrusion after an adversary has acquired access.

Each category contains a list of techniques that an adversary could use to perform that tactic. Techniques are broken down to provide a technical description, indicators, useful defensive sensor data, detection analytics, and potential mitigations. Applying intrusion data to the model then helps focus defense on the commonly used techniques across groups of activity and helps identify gaps in security. Defenders and decision makers can use the information in ATT&CK for various purposes, not just as a checklist of specific adversarial techniques.

ATT&CK is largely focused on Microsoft Windows enterprise networks for individual technique details. The framework and higher level categories may also be applied to other platforms and environments. To view the contents of ATT&CK, use the left navigation pane, which breaks out techniques by tactic category or view All Techniques.

ATT&CK Matrix

The MITRE ATT&CK Matrix™ is an overview of the tactics and techniques described in the ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

Persistence Accessibility FeaturesAppInit DLLsAuthentication PackageBasic Input/Output SystemBootkitChange Default File AssociationComponent FirmwareComponent Object Model HijackingDLL Search Order HijackingExternal Remote ServicesFile System Permissions WeaknessHypervisorLegitimate CredentialsLocal Port MonitorLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServicePath InterceptionRedundant AccessRegistry Run Keys / Start FolderScheduled TaskSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Accessibility FeaturesAppInit DLLsBypass User Account ControlDLL InjectionDLL Search Order HijackingExploitation of VulnerabilityFile System Permissions WeaknessLegitimate CredentialsLocal Port MonitorNew ServicePath InterceptionScheduled TaskService Registry Permissions WeaknessWeb Shell
Defense Evasion Binary PaddingBypass User Account ControlCode SigningComponent FirmwareComponent Object Model HijackingDLL InjectionDLL Search Order HijackingDLL Side-LoadingDisabling Security ToolsExploitation of VulnerabilityFile DeletionFile System Logical OffsetsIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateInstallUtilLegitimate CredentialsMSBuildMasqueradingModify RegistryNTFS Extended AttributesNetwork Share Connection RemovalObfuscated Files or InformationProcess HollowingRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32ScriptingSoftware PackingTimestomp
Credential Access Brute ForceCredential DumpingCredential ManipulationCredentials in FilesExploitation of VulnerabilityInput CaptureNetwork SniffingTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryFile and Directory DiscoveryLocal Network Configuration DiscoveryLocal Network Connections DiscoveryNetwork Service ScanningPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement Application Deployment SoftwareExploitation of VulnerabilityLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Execution Command-Line InterfaceExecution through APIExecution through Module LoadGraphical User InterfaceInstallUtilMSBuildPowerShellProcess HollowingRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionThird-party SoftwareWindows Management InstrumentationWindows Remote Management
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationFallback ChannelsMulti-Stage ChannelsMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service


ATT&CK is a constantly growing common reference for post-compromise techniques that brings greater awareness of what actions may be seen during a network intrusion. It enables a comprehensive evaluation of computer network defense (CND) technologies, processes, and policies against a common enterprise threat model. We do not claim that it is a comprehensive list of techniques, only an approximation of what is publicly known; therefore, it is also an invitation for the community to contribute additional details and information to continue developing the body of knowledge. Contributions could include new techniques, categories of actions, clarifying information, examples, other platforms or environments, methods of detection or mitigation, and data sources. See the Contribute page for instructions on how to get involved.

The result will help focus community efforts on areas that are not well understood or covered by current defensive technologies and best practices. Developers of current defensive tools and policies can identify where their value and strengths are in relation to the ATT&CK framework. Likewise, cyber security research can use ATT&CK as a grounded reference point to drive future investigation.

ATT&CK Use Cases

  • Prioritize development and/or acquisition efforts for CND capabilities
  • Conduct analyses of alternatives between CND capabilities
  • Determine “coverage” of a set of CND capabilities
  • Describe an intrusion chain of events based on the technique used from start to finish with a common reference
  • Identify commonalities between adversary tradecraft, as well as distinguishing characteristics
  • Connect mitigations, weaknesses, and adversaries


An API is available to query for information within ATT&CK. See Using the API for more details.

Cyber Analytics Repository

The Cyber Analytics Repository (CAR) is a knowledge base of analytics created to detect use of techniques based on the ATT&CK model. The analytics in CAR describe the idea behind the analytic, its relation to the ATT&CK model, pseudocode description of how the analytic might be implemented, and how the analytic fits within the CAR Data Model.

Related Efforts

MITRE is well known for its work in leading communities in the standardization of threat and vulnerability information. While ATT&CK is not as of yet an independent formal information standardization effort within the existing portfolio, we are working closely with related efforts to define how ATT&CK fits in that landscape. See the Related Efforts page to see how ATT&CK relates to other relevant information standardization efforts.


  1. "Threat-based Defense - Understanding an attacker’s tactics and techniques is key to successful cyber defense" by The MITRE Corporation
  2. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" by Lockheed Martin: Hutchens, et al.