Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

By Debraj Basak·Jun 19, 2026 · Updated Jun 20, 2026·11 min readAdversary Emulation

Objective: Learn to parse a real-world cyber threat intelligence (CTI) report and systematically translate its narrative behaviors into precise MITRE ATT&CK tactics, techniques, and sub-techniques — producing an accurate, reusable TTP layer that drives detection engineering, threat hunting, and adversary emulation planning.

Contents

1 1. Why TTP Mapping Matters More Than IOCs
2 2. ATT&CK Architecture: Tactics, Techniques, Sub-techniques, and Procedures
- 2.1 The 14 Enterprise Tactics
3 3. Sourcing and Preparing a CTI Report for Analysis
4 4. The Four-Step Mapping Methodology
5 5. Disambiguation: Choosing the Right Technique When Multiple Apply
6 6. The Analyst Mapping Worksheet
7 7. Tooling: ATT&CK Navigator, Decider, and the STIX/TAXII API
8 8. From TTP Map to Adversary Profile
9 9. Quality Assurance: Peer Review and Common Mapping Errors
10 10. Common Attacker Techniques in CTI Reports
11 11. Defensive Strategies & Detection
- 11.1 Sysmon Events Tied to Mapped Behaviors
12 12. Tools for CTI Mapping Analysis
13 13. MITRE ATT&CK Mapping Reference
14 Summary
15 Related Tutorials
16 References
- 16.1 Keep going in Adversary Emulation
- 16.2 Get new drops in your inbox

1. Why TTP Mapping Matters More Than IOCs

Traditional Indicators of Compromise (IOCs) — hashes, IP addresses, domains — are brittle. An adversary rotates infrastructure and recompiles payloads cheaply, so a hash-based detection expires the moment the campaign moves. Tactics, Techniques, and Procedures (TTPs) describe behavior, which is far costlier for an adversary to change. Re-tooling how you dump LSASS or beacon over HTTPS is expensive; swapping a C2 IP is trivial.

MITRE ATT&CK encodes this behavioral layer into a shared vocabulary. When you map a CTI report to ATT&CK, you convert prose (“the actor ran an encoded PowerShell loader”) into a stable, machine-referenceable identifier (T1059.001) that every tool, team, and report understands. That identifier outlives the campaign and feeds detection, hunting, and emulation directly.

2. ATT&CK Architecture: Tactics, Techniques, Sub-techniques, and Procedures

ATT&CK is a knowledge base of adversary behavior built on three structural levels.

Level	Description
Tactic	The adversary’s why — the tactical goal (e.g., `TA0001` Initial Access, `TA0002` Execution).
Technique	The how — a specific behavior used to achieve a tactical goal; one step in a string of activity completing the mission.
Sub-technique	A more granular description of a technique. `T1003` OS Credential Dumping has sub-techniques such as `T1003.001` LSASS Memory.

A procedure is the real-world, in-the-wild instance of a technique — the exact way a named group performed it. Procedures appear on each technique page as cited examples.

The 14 Enterprise Tactics

Tactic ID	Name
`TA0043`	Reconnaissance
`TA0042`	Resource Development
`TA0001`	Initial Access
`TA0002`	Execution
`TA0003`	Persistence
`TA0004`	Privilege Escalation
`TA0005`	Defense Evasion
`TA0006`	Credential Access
`TA0007`	Discovery
`TA0008`	Lateral Movement
`TA0009`	Collection
`TA0011`	Command and Control
`TA0010`	Exfiltration
`TA0040`	Impact

Technique IDs follow the T#### convention; sub-techniques append .### (e.g., T1021, T1059.003). These identifiers standardize communication across detection engineering, intelligence reporting, and red team planning. ATT&CK is versioned — IDs can be deprecated or renumbered across major releases — so always verify against the live matrix at attack.mitre.org.

Hierarchy diagram showing ATT&CK structural levels: Tactic at top, descending through Technique, Sub-technique, and Procedure — ATT&CK’s four structural levels — from the adversary’s strategic goal down to a specific, cited real-world behavior.

3. Sourcing and Preparing a CTI Report for Analysis

CTI arrives at three altitudes. Strategic intelligence describes who and why at a board level. Operational intelligence describes campaign-level capability and intent. Tactical intelligence — vendor incident reports, CISA advisories, ISAC bulletins, OSINT write-ups — describes the granular actions you can actually map.

A report is mappable when it describes what the adversary did, not just what it was. Strip attribution bias: the goal is behavior, not a flag. Before mapping, read the full report once end-to-end, then segment the narrative into discrete adversary actions. Each action is a candidate for one or more ATT&CK techniques.

4. The Four-Step Mapping Methodology

CISA’s Best Practices for MITRE ATT&CK Mapping defines a canonical four-step loop. Run it once per behavior.

Identify the behavior — extract what the adversary did from the narrative, quoting the source verbatim.
Research the behavior — understand the technical action being described; resolve vendor jargon to a concrete mechanism.
Translate the behavior into a tactic — identify the adversary’s goal (the why).
Identify the technique and sub-technique — match the how against the matrix.

Worked example. Take the narrative: “The actor delivered a spearphishing attachment, then executed an obfuscated PowerShell loader and accessed LSASS memory with a renamed procdump binary.”

Behavior	Tactic	Technique
Spearphishing attachment	`TA0001` Initial Access	`T1566.001`
Obfuscated PowerShell loader	`TA0002` Execution + `TA0005` Defense Evasion	`T1059.001`, `T1027`
LSASS access via procdump	`TA0006` Credential Access	`T1003.001`

Automation helps the first pass. The script below surfaces candidate tactics from raw text — a triage aid, never a final answer.

# First-pass triage only — surfaces CANDIDATE tactics for manual review.
TACTIC_KEYWORDS = {
    "TA0001": ["phishing", "spearphishing", "supply chain", "exploited public"],
    "TA0002": ["powershell", "executed", "ran script", "command interpreter"],
    "TA0005": ["obfuscated", "base64", "encoded", "disabled logging"],
    "TA0006": ["lsass", "credential", "dumped", "mimikatz"],
    "TA0011": ["beacon", "c2", "https post", "command and control"],
}

def candidate_tactics(report_text: str):
    text = report_text.lower()
    return {ta: [w for w in words if w in text]
            for ta, words in TACTIC_KEYWORDS.items()
            if any(w in text for w in words)}

excerpt = ("The actor used a spearphishing attachment, then ran an "
           "obfuscated PowerShell loader and dumped LSASS memory.")
for ta, words in candidate_tactics(excerpt).items():
    print(ta, "->", words)

If a sub-technique is not easily identifiable — and there may not be one in every case — review the procedure examples on the technique page. They link the source CTI reports behind the original mapping and may affirm your choice or suggest an alternative. There is always a possibility a behavior is a new technique not yet covered in ATT&CK.

Flow diagram of the four-step CTI-to-ATT&CK mapping loop: Identify, Research, Translate to Tactic, Match Technique, feeding into a worksheet and looping to the next behavior — The CISA-recommended mapping loop runs once per discrete adversary behavior, producing an auditable worksheet entry each cycle.

5. Disambiguation: Choosing the Right Technique When Multiple Apply

Ambiguity is the hard part. One behavior frequently maps to several tactics. T1078 Valid Accounts spans Initial Access (TA0001), Persistence (TA0003), Privilege Escalation (TA0004), and Defense Evasion (TA0005) — the correct tactic depends on what the account was used for in that step, not the account itself.

Rules of thumb:

Map to the tactic that matches the adversary’s goal at that moment, not every goal the technique can serve.
Prefer the technique level when the report lacks the detail to justify a sub-technique. Forcing T1003.001 when the report only says “stole credentials” is over-mapping.
Use the procedure examples to calibrate. If your behavior reads nothing like the cited procedures, re-investigate.
T1218 System Binary Proxy Execution and T1027 Obfuscated Files or Information often co-occur with execution techniques — record them as distinct Defense Evasion entries rather than collapsing them.

6. The Analyst Mapping Worksheet

The core analyst deliverable is a worksheet that preserves the audit trail from quote to ID. Confidence and rationale columns make the mapping reviewable.

Raw Behavior Quote	Tactic	Technique	Sub-technique	Confidence	Rationale
“delivered a spearphishing attachment”	`TA0001`	`T1566`	`T1566.001`	H	Explicit attachment delivery
“ran an obfuscated PowerShell loader”	`TA0002`	`T1059`	`T1059.001`	H	Interpreter named explicitly
“loader was Base64-encoded”	`TA0005`	`T1027`	—	M	Obfuscation implied, method unstated
“accessed LSASS with renamed procdump”	`TA0006`	`T1003`	`T1003.001`	H	Target process named
“injected into svchost.exe”	`TA0005`	`T1055`	`T1055.001`	M	Injection cited; DLL method inferred
“beaconed over HTTPS”	`TA0011`	`T1071`	`T1071.001`	H	Web protocol C2 explicit

This worksheet becomes the source of truth that all downstream artifacts — Navigator layers, Sigma rules, emulation plans — derive from.

7. Tooling: ATT&CK Navigator, Decider, and the STIX/TAXII API

ATT&CK Navigator is MITRE’s web tool for visually annotating the matrix. You represent a mapped TTP set as a versioned layer JSON — a portable, diff-able artifact you commit to version control.

{
  "name": "APT-Sample CTI Mapping",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "description": "TTPs extracted from CTI report; scored by confidence.",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d",
      "comment": "Spearphishing attachment delivered loader (High)" },
    { "techniqueID": "T1059.001", "score": 100, "color": "#e60d0d",
      "comment": "Obfuscated PowerShell stager (High)" },
    { "techniqueID": "T1003.001", "score": 75, "color": "#e68a0d",
      "comment": "LSASS access via renamed procdump (Medium)" }
  ]
}

CISA Decider eases disambiguation by asking a series of guided questions about adversary activity, walking you to the correct tactic, technique, or sub-technique — invaluable when an analyst is uncertain.

For programmatic work, query the public read-only TAXII 2.1 endpoint (https://attack-taxii.mitre.org/, Enterprise collection x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019). The ATT&CK dataset is STIX 2.1 JSON: techniques are attack-pattern objects, groups are intrusion-set, software is malware / tool. Pull techniques attributed to a group to cross-check your mapping against MITRE’s own group profile.

from mitreattack.stix20 import MitreAttackData

# Load the Enterprise STIX 2.1 bundle (download once from attack-stix-data)
attack = MitreAttackData("enterprise-attack.json")

# Resolve a threat group alias to its intrusion-set object
group = attack.get_groups_by_alias("APT29")[0]

# Enumerate every technique attributed to the group
for t in attack.get_techniques_used_by_group(group["id"]):
    obj = t["object"]
    print(attack.get_attack_id(obj["id"]), "\t", obj["name"])

8. From TTP Map to Adversary Profile

Aggregate worksheets across an entire campaign to build an adversary profile. Correlate your mapped techniques against the relevant ATT&CK Groups page to validate consistency and surface techniques the actor is known to use but the report omitted. Score the aggregated layer by frequency or confidence to produce a TTP heat map, then prioritize against your priority intelligence requirements (PIRs). The heat map feeds directly into detection gap analysis.

import csv, json

# Load the mapped TTP layer and the internal detection inventory
layer = json.load(open("cti_layer.json"))
covered = set()
with open("detection_coverage.csv") as fh:            # cols: technique_id, rule_name
    for row in csv.DictReader(fh):
        covered.add(row["technique_id"])

print("TechniqueID\tCovered")
for t in layer["techniques"]:
    tid = t["techniqueID"]
    print(f"{tid}\t{tid in covered}")

Aggregated TTP worksheets flow into an adversary profile and heat map, directly feeding detection engineering, red team emulation, and coverage analysis.

9. Quality Assurance: Peer Review and Common Mapping Errors

A formal peer review of an annotated report shares perspectives, promotes learning, and improves accuracy. A second analyst routinely catches TTPs missed in the first pass and enforces mapping consistency across the team.

Watch for these recurring errors:

Over-mapping — assigning techniques the report does not support.
Under-mapping — missing key behaviors buried in the narrative.
Conflating technique with tactic — recording a goal where a behavior belongs.
Misidentifying sub-techniques — forcing .### granularity the source lacks.
Mapping to deprecated techniques — always validate against the current ATT&CK version.

10. Common Attacker Techniques in CTI Reports

These behaviors dominate tactical CTI and should be in every analyst’s recognition vocabulary.

Technique	Description
`T1566.001` Spearphishing Attachment	Malicious attachment delivers initial loader
`T1195` Supply Chain Compromise	Trusted software/update channel weaponized
`T1059.001` PowerShell	Scripted execution, often encoded
`T1569.002` Service Execution	Code run via a Windows service
`T1078` Valid Accounts	Legitimate credentials reused across tactics
`T1027` Obfuscated Files or Information	Encoding/packing to evade detection
`T1218` System Binary Proxy Execution	Signed LOLBins proxy malicious execution
`T1055.001` DLL Injection	Code injected into a remote process
`T1003.001` LSASS Memory	Credential material dumped from `lsass.exe`
`T1071.001` Web Protocols	HTTP/S used for command and control

11. Defensive Strategies & Detection

The output of mapping is a prioritized list of behaviors to detect. Each ATT&CK technique page lists Data Sources (e.g., DS0009 Process, DS0011 Module, DS0017 Command, DS0022 File, DS0028 Logon Session, DS0029 Network Traffic) and Mitigations (e.g., M1038 Execution Prevention, M1026 Privileged Account Management). Pull these per technique to convert the map into telemetry requirements and hardening tasks.

Sysmon Events Tied to Mapped Behaviors

Sysmon Event ID	Description	Example Technique
`Event ID 1`	Process Create	`T1059.001`, `T1218`
`Event ID 3`	Network Connection	`T1071.001`
`Event ID 7`	Image Loaded (DLL)	`T1055.001`
`Event ID 8`	CreateRemoteThread	`T1055`
`Event ID 10`	Process Access	`T1003.001`
`Event ID 11`	File Create	`T1027`
`Event ID 13`	Registry Value Set	`T1547.001`
`Event ID 22`	DNS Query	`T1071.001`

Enable the supporting Windows audit policies: Audit Process Creation (Event ID 4688 with command line), Audit Logon Events (4624/4625/4648 for T1078), Audit Object Access → SAM (4661 for T1003), and PowerShell Script Block Logging (4104 for T1059.001).

A Sigma rule operationalizes one mapped technique. Tags follow attack.t1003_001 (lowercase, underscore for the sub-technique separator) and attack.ta0006 for the tactic.

title: Cross-Process Access to LSASS Memory
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: '0x1410'
  condition: selection
tags:
  - attack.t1003_001
  - attack.ta0006
level: high

Feed the completed layer into DeTT&CT (Detect Tactics, Techniques & Combat Threats) to align mapped TTPs against your data source visibility and detection coverage — the natural follow-on to mapping. The same layer drives the red team emulation plan, ensuring offensive testing exercises the exact behaviors the CTI reported.

12. Tools for CTI Mapping Analysis

Tool	Description	Link
ATT&CK Navigator	Visual matrix annotation and layer export	`mitre-attack.github.io`
CISA Decider	Guided Q&A to reach the correct technique	`cisa.gov`
`mitreattack-python`	Programmatic STIX query of the ATT&CK dataset	`github.com`
ATT&CK TAXII 2.1	Public read-only API for STIX collections	`attack-taxii.mitre.org`
DeTT&CT	Maps data source visibility to detection coverage	`github.com`
Sigma	Vendor-agnostic detection rules with ATT&CK tags	`sigmahq.io`
Sysmon	Endpoint telemetry feeding mapped detections	`sysinternals.com`

13. MITRE ATT&CK Mapping Reference

Technique	MITRE ID	Detection
Spearphishing Attachment	`T1566.001`	Mail gateway logs, `Event ID 11` on attachment write
PowerShell	`T1059.001`	Script block logging `4104`, `Event ID 1`
Obfuscated Files or Information	`T1027`	`Event ID 1`/`11`, entropy/decoder heuristics
Valid Accounts	`T1078`	Logon auditing `4624`/`4648`, anomalous session
LSASS Memory	`T1003.001`	`Event ID 10` GrantedAccess to `lsass.exe`, `4661`
DLL Injection	`T1055.001`	`Event ID 7`/`8` remote thread + image load
System Binary Proxy Execution	`T1218`	`Event ID 1` LOLBin parent/child anomalies
Web Protocols (C2)	`T1071.001`	`Event ID 3`/`22`, JA3/TLS and DNS analytics
Supply Chain Compromise	`T1195`	Software integrity, unexpected update behavior

Summary

CTI-to-ATT&CK mapping converts perishable IOCs into durable, behavioral TTPs that survive across campaigns and standardize defensive communication.
ATT&CK is structured as tactics (the why), techniques (the how), and sub-techniques (granular methods), each with stable TA#### / T####.### identifiers.
The CISA four-step loop — identify, research, translate to tactic, identify technique — produces an auditable mapping worksheet that anchors every downstream artifact.
Navigator layers, CISA Decider, and the public TAXII 2.1 STIX endpoint operationalize and version-control the mapping; peer review guards against over-mapping, under-mapping, and tactic/technique confusion.
The finished TTP map drives detection engineering directly — pulling ATT&CK Data Sources, Sysmon Event IDs, audit policies, and Sigma rules per technique, and feeding DeTT&CT coverage analysis and emulation plans.

References

Post Views: 17

Get new drops in your inbox

Windows internals, exploit dev, and red-team write-ups — no spam, unsubscribe anytime.