Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques

Objective: Understand what the MITRE ATT&CK knowledge base is, how it is structured — domains, matrices, tactics, techniques, sub-techniques, and procedures — and how defenders, threat hunters, and authorized red teamers use it as a shared operational language for threat-informed defense and adversary emulation.

1. What Is MITRE ATT&CK and Why It Matters

MITRE ATT&CK is a living, open-source knowledge base that documents real-world adversary tactics, techniques, and procedures (TTPs). It was created by the MITRE Corporation and first released in 2013. ATT&CK focuses on how attackers behave — the actions they take inside an environment — rather than on the indicators of compromise (IOCs) they leave behind.

This distinction matters. IOCs (hashes, IPs, domains) are brittle and disposable; an adversary rotates them cheaply. Behaviors — injecting code, dumping credentials, abusing valid accounts — are expensive to change. ATT&CK catalogs the durable behaviors, grounded in empirical evidence from intrusions observed across industries and geographies.

ATT&CK builds on the Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert & Amin, 2011). The Matrix columns are ordered roughly along the chronological flow of an intrusion, but ATT&CK goes deeper, enumerating concrete mechanisms under each phase rather than naming abstract stages.

2. The Three Domains: Enterprise, Mobile, and ICS

ATT&CK is partitioned into three domains, each with its own matrices.

Domain	Scope
Enterprise ATT&CK	Windows, Linux, macOS, and cloud platforms (Azure AD, Office 365, IaaS, SaaS)
Mobile ATT&CK	Threats targeting mobile devices and operating systems
ICS ATT&CK	Industrial control systems and operational technology

This site focuses on Enterprise ATT&CK because it covers the Windows, Linux, and cloud surfaces most relevant to blue teams, DFIR, and authorized red teaming.

3. Tactics, Techniques, Sub-Techniques, and Procedures

The ATT&CK data model is a four-level hierarchy. Each level answers a different question.

Component	Question	ID Format	Meaning
Tactic	Why	`TA####`	The adversary’s tactical goal — the reason for an action
Technique	How	`T####`	How the adversary achieves a tactical goal
Sub-technique	How (specific)	`T####.###`	A lower-level, more specific behavior
Procedure	What exactly	(described in text)	Real-world implementation by a named group, tool, or malware

Tactics represent the “why.” Techniques represent the “how.” Sub-techniques describe a narrower variation. For example, the technique Account Manipulation (T1098) encompasses sub-techniques such as Additional Email Delegate Permissions (T1098.002) and Exchange Email Delegate Permissions (T1098.003), each detailing a distinct method.

Procedures are the real-world implementations — specific tools, malware families, or hands-on-keyboard methods observed in active campaigns. This is what makes ATT&CK actionable: you can study the actual tradecraft, not just the abstraction.

Hierarchical diagram showing the four-level ATT&CK data model: Tactic at the top, branching down through Technique and Sub-Technique to Procedure, with T1098 Account Manipulation as a concrete example — The ATT&CK data model flows from abstract tactical goals down to specific real-world procedures, each level answering a progressively narrower question about adversary behavior.

4. Walking the Enterprise Matrix: The 14 Tactics

The Matrix column headings are the tactics, presented in roughly chronological order. The cells under each column are the techniques that achieve that tactical objective. The baseline below reflects ATT&CK v16.1 (14 tactics, 203 techniques, 453 sub-techniques). For reference, v18 lists 14 tactics, 216 techniques, 475 sub-techniques, 44 mitigations, and over 1,700 analytics. Always pin counts to a version.

#	Tactic	Tactic ID
1	Reconnaissance	`TA0043`
2	Resource Development	`TA0042`
3	Initial Access	`TA0001`
4	Execution	`TA0002`
5	Persistence	`TA0003`
6	Privilege Escalation	`TA0004`
7	Defense Evasion	`TA0005`
8	Credential Access	`TA0006`
9	Discovery	`TA0007`
10	Lateral Movement	`TA0008`
11	Collection	`TA0009`
12	Command and Control	`TA0011`
13	Exfiltration	`TA0010`
14	Impact	`TA0040`

v19 note (April 2026): ATT&CK v19 introduced a major structural change — the Defense Evasion tactic (TA0005) was split into two new tactics, Stealth and Defense Impairment. TA0005 is deprecated in the current release. Retrieve the exact new tactic IDs and transition guidance from attack.mitre.org/resources/updates/ before mapping against v19.

5. Anatomy of a Technique Page

Every technique page is a structured record. Take T1059.001 — PowerShell (a sub-technique of T1059 Command and Scripting Interpreter, under Execution).

Field	Example Value for `T1059.001`
ID	`T1059.001` (parent `T1059`)
Tactic(s)	Execution (`TA0002`)
Platforms	Windows
Permissions Required	User / Administrator (context-dependent)
Data Sources	`Command`, `Process`, `Module`, `Script`
Mitigations	Linked `M####` objects
Procedure Examples	Named Groups and Campaigns observed using PowerShell

A technique can belong to multiple tactics. The Detection section lists data source / data component pairs, free-text analytic notes, and — since v14 — structured pseudocode analytics from the MITRE Cyber Analytics Repository (CAR). These data-source fields tell you exactly which telemetry to collect.

6. Related Objects: Groups, Software, Campaigns, and Mitigations

ATT&CK is more than a list of behaviors. A graph of related objects ties techniques to threat intelligence.

Object	Prefix	Description
Groups	`G####`	Named threat actors (APTs, crimeware crews) mapped to techniques they use
Software	`S####`	Tools, malware, and utilities used by adversaries
Campaigns	`C####`	Intrusion activity over a time window with common targets; may or may not be attributed
Mitigations	`M####`	Recommended defensive controls mapped to techniques
Data Sources / Components	—	Observable artifacts and telemetry that detect a technique

This turns the Matrix into an operational tool: not just “T1056.001 exists,” but which group uses it, with what software, in which campaign, and which mitigations apply. The Group pages are the entry point for threat-actor-centric research and emulation planning.

Graph diagram showing how ATT&CK related objects — Groups, Campaigns, Software, and Mitigations — interconnect around central Technique nodes, forming an operational threat intelligence web — ATT&CK’s related objects transform isolated technique IDs into an intelligence graph, linking threat actors, their tooling, active campaigns, and applicable defensive controls.

7. Programmatic Access via STIX and the ATT&CK Python Library

ATT&CK is published as STIX 2.1 — the structured threat intelligence format from the OASIS CTI Technical Committee. In STIX, an intrusion-set object (Group) links to attack-pattern objects (techniques/sub-techniques), malware and tool objects (software), and campaign objects. MITRE distributes the bundles on GitHub.

The canonical library is mitreattack-python (github.com/mitre-attack/mitreattack-python). Load a bundle and query the data model directly.

from mitreattack.stix2 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")

# List every technique under the Persistence tactic (TA0003)
for t in mitre.get_techniques_by_tactic("persistence", "enterprise-attack"):
    print(mitre.get_attack_id(t.id), t.name)

Fetch a single technique by its ATT&CK ID and inspect the schema fields:

tech = mitre.get_object_by_attack_id("T1059.001", "attack-pattern")
print(tech.name)                 # PowerShell
print(tech.x_mitre_platforms)    # ['Windows']
for phase in tech.kill_chain_phases:
    print(phase.phase_name)      # execution

Walk the relationship graph to list every Group observed using a technique:

for g in mitre.get_groups_using_technique(tech.id):
    grp = g["object"]
    print(mitre.get_attack_id(grp.id), grp.name, grp.aliases)

The raw attack-pattern object behind that technique looks like this (trimmed and annotated):

{
  "type": "attack-pattern",
  "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
  "name": "PowerShell",
  "x_mitre_platforms": ["Windows"],
  "x_mitre_is_subtechnique": true,
  "kill_chain_phases": [
    { "kill_chain_name": "mitre-attack", "phase_name": "execution" }
  ],
  "external_references": [
    {
      "source_name": "mitre-attack",
      "external_id": "T1059.001",
      "url": "https://attack.mitre.org/techniques/T1059/001"
    }
  ]
}

To stay current across releases, diff two STIX bundles to surface added or modified techniques:

# Illustrative: compare two domain bundles and emit a change report
from mitreattack.diffStix.changelog_helper import get_new_changelog_md

get_new_changelog_md(
    old="enterprise-attack-16.1.json",
    new="enterprise-attack-18.0.json",
    domains=["enterprise-attack"],
    markdown_file="attack-v16-to-v18-changes.md",
)

8. The ATT&CK Navigator and Coverage Layers

The ATT&CK Navigator renders the Matrix as an interactive heat map. You assign scores and colors to techniques to build layers — coverage maps for detection engineering, gap analysis, and emulation scoping. Layers are JSON and version-controllable.

{
  "name": "Detection Coverage - Execution & Persistence",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1059.001", "score": 100, "color": "#31a354",
      "comment": "Sysmon EID 1 + Script Block Logging" },
    { "techniqueID": "T1547.001", "score": 50, "color": "#fee08b",
      "comment": "Partial registry telemetry" },
    { "techniqueID": "T1055", "score": 0, "color": "#de2d26",
      "comment": "No process-injection detection" }
  ]
}

Overlay an adversary’s known techniques (red) against your detection coverage (green) and the white space is your gap list.

9. Applying ATT&CK in Defense and Authorized Emulation

As a defender, map every SIEM alert and detection rule to a technique ID. Build Navigator layers to measure coverage, then prioritize engineering against the techniques most relevant to your threat model — threat-informed defense instead of blanket coverage.

As an authorized red teamer / adversary emulator, pull a Group page (e.g., a relevant APT), extract its technique set, and build a TTP-driven emulation plan. This is fundamentally different from vulnerability-based scoping: you exercise the behaviors the defense must catch. Tools like MITRE CALDERA and Atomic Red Team chain ATT&CK-mapped tests so blue and red teams speak the same IDs.

Flow diagram illustrating the threat-informed defense workflow: from ATT&CK Group pages through TTP extraction to parallel red-team emulation planning and blue-team detection engineering, converging on a Navigator coverage layer — Both red and blue teams start from the same ATT&CK Group profile, ensuring emulation exercises and detection rules address the same adversary behaviors and share a common technique-ID language.

10. Common Attacker Techniques

The framework catalogs thousands of behaviors. A handful illustrate the model’s range and the important fact that one technique can serve multiple tactics.

Technique	Description
`T1059.001` — PowerShell	Execute commands and scripts via the PowerShell interpreter
`T1566` — Phishing	Gain initial access through malicious messages
`T1078` — Valid Accounts	Abuse legitimate credentials across persistence, privesc, and evasion
`T1055` — Process Injection	Run code in another process’s address space to evade defenses
`T1003.001` — LSASS Memory	Dump credentials from `lsass.exe`
`T1547.001` — Registry Run Keys	Persist via autostart registry locations

T1078 (Valid Accounts) is the teaching case: it appears under four tactics — Initial Access, Persistence, Privilege Escalation, and Defense Evasion — because the same behavior serves different adversary goals depending on context.

11. Defensive Strategies & Detection

Because ATT&CK is structural, the goal here is wiring it into your detection workflow. Each technique page lists Data Sources (e.g., Process, Command, Windows Registry, Network Traffic) and Data Components (e.g., Process Creation, Network Connection Creation). These map directly to telemetry you must collect.

On Windows, Sysmon supplies much of that telemetry.

Sysmon Event ID	Description	Relevant To
`1`	Process Create	Execution (`TA0002`), Discovery (`TA0007`)
`3`	Network Connection	C2 (`TA0011`), Lateral Movement (`TA0008`)
`7`	Image Loaded (DLL)	Defense Evasion, Persistence
`8`	CreateRemoteThread	Process Injection (`T1055.*`)
`10`	ProcessAccess	Credential Access (`T1003.001`)
`11`	FileCreate	Persistence, staging
`12`/`13`/`14`	Registry Create/Modify	Registry persistence (`T1547.001`)
`22`	DNS Query	C2 (`T1071.004`)

Sigma is the vendor-neutral detection format that carries ATT&CK IDs in its tags block, letting every rule trace back to a technique and tactic.

title: PowerShell EncodedCommand Execution
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution        # tactic name (lowercase)
  - attack.t1059.001        # sub-technique ID (lowercase)
level: medium

Mitigations use M#### IDs (verify against attack.mitre.org/mitigations/enterprise/ before citing in production):

Mitigation	Description
`M1038`	Execution Prevention (application control)
`M1042`	Disable or Remove Feature or Program
`M1049`	Antivirus / Anti-malware
`M1026`	Privileged Account Management

12. Tools for ATT&CK Analysis

Tool	Description	Link
ATT&CK Navigator	Heat-map and coverage layers	`mitre-attack.github.io/attack-navigator`
`mitreattack-python`	Canonical STIX query library	`github.com/mitre-attack`
ATT&CK Workbench	Self-hosted ATT&CK extension/editing	`attack.mitre.org`
MITRE CALDERA	Automated adversary emulation	`caldera.mitre.org`
Atomic Red Team	Small, ATT&CK-mapped tests	`atomicredteam.io`
Sysmon	Windows telemetry for detection	`learn.microsoft.com`
Sigma	Vendor-neutral detection rules	`sigmahq.io`

13. MITRE ATT&CK Mapping

Every other tutorial on this site closes with a mapping table. Read it as technique → tactic → context. This is the worked example.

Technique ID	Name	Tactic(s)	Notes
`T1059`	Command and Scripting Interpreter	Execution (`TA0002`)	Parent technique; multiple sub-techniques
`T1059.001`	PowerShell	Execution (`TA0002`)	Sub-technique used throughout this tutorial
`T1566`	Phishing	Initial Access (`TA0001`)	Pre-execution delivery technique
`T1078`	Valid Accounts	Initial Access (`TA0001`), Persistence (`TA0003`), Privilege Escalation (`TA0004`), Defense Evasion (`TA0005`)	One technique, four tactics
`T1055`	Process Injection	Privilege Escalation (`TA0004`), Defense Evasion (`TA0005`)	Parent with many sub-techniques

14. Summary

MITRE ATT&CK is a behavior-based, empirically grounded knowledge base of adversary TTPs — not an IOC feed.
The data model is a hierarchy: tactics (why, TA####) → techniques (how, T####) → sub-techniques (T####.###) → procedures (real-world instances).
Related objects — Groups (G####), Software (S####), Campaigns (C####), Mitigations (M####) — turn the Matrix into an operational, intelligence-led tool.
Pin counts and structure to a specific version; v19 (April 2026) split Defense Evasion (TA0005) into Stealth and Defense Impairment — confirm the new IDs at attack.mitre.org/resources/updates/.
Operationalize ATT&CK by mapping data sources to Sysmon telemetry, tagging Sigma rules with technique IDs, and tracking coverage in Navigator layers for both detection engineering and authorized emulation.

Archive