ATT&CK
The MITRE ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) framework is a globally accessible, curated knowledge base that models the tactics, techniques, and procedures (TTPs) of cyber adversaries based on real-world observations, serving as a foundational resource for developing threat-informed defenses in cybersecurity.[1] Developed by the MITRE Corporation, a U.S.-based non-profit organization sponsored by the federal government, ATT&CK originated in 2013 as part of an internal research project known as the Fort Meade Experiment (FMX) to analyze post-compromise adversary behaviors on Windows enterprise networks using endpoint detection telemetry.[2] The framework's initial public release occurred in May 2015 with the ATT&CK for Enterprise matrix, which included 9 tactics and 96 techniques, marking a shift toward open-source collaboration in threat modeling.[3] Since its inception, ATT&CK has expanded significantly to address diverse environments, now encompassing two primary matrices: ATT&CK for Enterprise, which covers Windows, macOS, Linux, cloud platforms (including IaaS, SaaS, and identity providers), network devices, and containers; and ATT&CK for Mobile, focused on Android and iOS ecosystems.[2] In 2020, MITRE introduced ATT&CK for Industrial Control Systems (ICS) to model threats against operational technology, further broadening its applicability to critical infrastructure sectors.[4] The framework structures adversary behaviors hierarchically: tactics represent high-level objectives (e.g., Initial Access, Execution, Persistence), techniques describe methods to achieve those objectives (e.g., Phishing for Initial Access), sub-techniques provide granular variations, and procedures detail specific real-world implementations by threat actors.[2] ATT&CK is maintained through bi-annual releases, incorporating contributions from a global community of cybersecurity experts, public threat reports, and MITRE's own research, with the most recent version, v18.1, released on October 28, 2025, adding new techniques, detections, and coverage for emerging threats like those targeting Kubernetes and CI/CD pipelines.[5] Freely available at no cost, the framework supports tools such as the ATT&CK Navigator for visualization and evaluation programs that assess security products against known TTPs, fostering standardized threat intelligence sharing across government, private industry, and vendor communities.[1]Overview
Definition and Purpose
MITRE ATT&CK, an acronym for Adversarial Tactics, Techniques, and Common Knowledge, is a globally accessible knowledge base of cyber adversary tactics and techniques derived from real-world observations. Developed by the MITRE Corporation, it serves as a curated repository that models how adversaries operate across various platforms, emphasizing observable behaviors over specific indicators like malware signatures or tools. This approach enables cybersecurity professionals to anticipate and counter threats based on patterns of activity rather than isolated artifacts. The primary purpose of ATT&CK is to provide a structured framework for understanding, documenting, and defending against cyber threats by standardizing descriptions of adversary behaviors. It facilitates the development of threat models and methodologies across private sector, government, and cybersecurity communities, promoting more effective defenses through shared knowledge. Key goals include enhancing threat intelligence sharing by compiling and disseminating real-world adversary data, improving detection engineering to create robust monitoring capabilities, and supporting proactive defense strategies that disrupt adversaries at multiple points in their operations. Unlike linear models such as Lockheed Martin's Cyber Kill Chain, which outlines sequential stages of an attack from the adversary's perspective, ATT&CK employs a non-linear, matrix-based structure that details unordered tactics and granular techniques, allowing for a more comprehensive view of potential behaviors in any campaign. This behavioral focus shifts emphasis from breaking a single chain to mapping and mitigating diverse adversary actions. ATT&CK is presented through matrices that visually organize these elements for practical application.Core Components
The core components of the MITRE ATT&CK framework consist of tactics, techniques, sub-techniques, and procedures, which together model adversary behaviors in a structured manner. Tactics represent high-level adversary goals, such as initial access or execution, encapsulating the strategic "why" behind an adversary's actions to achieve broader objectives during an attack lifecycle.[6][2][7] Techniques describe the specific methods adversaries employ to accomplish these tactics, providing the operational "how" at a mid-level abstraction that details actionable behaviors. Sub-techniques offer further granularity as variations or lower-level specializations of techniques, allowing for more precise categorization of adversarial actions without altering the parent technique's scope. Procedures, in contrast, capture real-world implementations of techniques or sub-techniques by specific threat actors, often drawn from observed incidents and including contextual details on execution.[6][2][7] These components form a hierarchical structure where tactics encompass multiple techniques, and techniques may further break down into sub-techniques, creating a layered model of adversary activity. This hierarchy extends through explicit linkages: techniques and sub-techniques connect to relevant adversary groups, associated malware or tools (software), and recommended mitigations or detection strategies, enabling comprehensive threat mapping and response planning.[2][7] Supporting metadata enriches each component with contextual attributes, such as required permissions for execution, potential system impact levels, and applicable data sources for monitoring (e.g., logs or network telemetry derived from public threat intelligence). This metadata facilitates practical application by defenders, including identification of platforms affected and versioning for updates. The components are typically visualized within ATT&CK matrices for structured analysis across domains like enterprise environments.[6][2][7]History and Development
Origins and Creation
The development of ATT&CK began in September 2013 as an initiative by the MITRE Corporation, a not-for-profit organization operating federally funded research and development centers, under a contract with the U.S. Air Force Research Laboratory (AFRL) identified as Project No. 10AOH08A-JC.[7] This effort stemmed from MITRE's broader work in cybersecurity research, particularly within the Fort Meade eXperiment (FMX) environment established in 2010 to simulate enterprise network defenses against cyber threats.[7] The initial model was designed to provide a structured framework for emulating adversary behaviors, addressing gaps in traditional threat modeling approaches that focused primarily on pre-compromise activities.[7] The primary motivation was to model advanced persistent threats (APTs) targeting Department of Defense (DoD) enterprise networks, emphasizing post-compromise tactics, techniques, and procedures (TTPs) under an "assume breach" philosophy to enhance detection and response capabilities.[7] Key contributors included MITRE cybersecurity experts such as Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, and Cody B. Thomas, who drew from real-world observations of APT campaigns to populate the model with behaviors observed in Microsoft Windows environments.[7] This focus on APTs was informed by the need to support DoD-specific cyber threat intelligence, enabling more realistic red team exercises and blue team analytics.[7] By 2015, ATT&CK had transitioned from an internal tool used within MITRE's FMX for adversary emulation and defender training to its first public release in May of that year, comprising 96 techniques organized across 9 tactics.[7] This release adhered to open-source principles, making the knowledge base freely accessible to encourage community contributions and broader adoption in cybersecurity practices.[7]Evolution and Versions
The MITRE ATT&CK framework underwent its initial public release in May 2015, presenting the Enterprise matrix with a focus on Windows environments, encompassing 9 tactics and 96 techniques derived from real-world adversary observations.[7] Formal versioning commenced with version 1.0 in January 2018, establishing a structured progression for updates that incorporated refinements to tactics, techniques, and associated metadata.[5] This early phase emphasized the core Enterprise domain, with subsequent minor releases addressing corrections and expansions to technique descriptions without major structural changes. Key milestones marked significant expansions in scope. In 2017, ATT&CK for Mobile was introduced as a dedicated matrix to address adversary behaviors on Android and iOS platforms, providing 11 tactics and initial techniques tailored to mobile-specific threats.[7] Version 5, released in mid-2019, further matured the framework by enhancing technique granularity and integrating preliminary mappings for emerging platforms, though major additions like the Industrial Control Systems (ICS) matrix occurred later in version 11 (April 2022), which added 57 ICS techniques alongside sub-techniques for Mobile.[5] Version 10, launched in October 2021, notably advanced the framework by incorporating over 100 sub-techniques across Enterprise tactics and expanding coverage to more than 100 adversary groups, improving analytical depth for threat intelligence.[8] As of November 2025, the latest release is version 18 (October 2025), featuring 216 techniques and 475 sub-techniques in the Enterprise matrix, alongside 77 techniques in Mobile and 83 in ICS, reflecting ongoing maturation.[9] Updates occur biannually, driven by community feedback through the public GitHub repository, where contributors submit pull requests for technique validations, group attributions, and content enhancements. The framework also integrates with standards like STIX 2.1, enabling structured data exchange for automated threat sharing and tool interoperability across cybersecurity ecosystems.Framework Structure
Matrices
The ATT&CK matrices serve as foundational tabular representations within the framework, structured as two-dimensional grids that organize adversary behaviors across different operational environments. In this layout, tactics—representing high-level adversary objectives—are arranged as columns, while techniques—specific methods to accomplish those objectives—are positioned as rows, with sub-techniques nested under them for greater granularity. This design facilitates a clear visualization of how adversaries progress through attack lifecycles, enabling cybersecurity professionals to map observed activities against known patterns.[7] The primary purpose of these matrices is to provide a visual tool for analyzing adversary tactics, techniques, and procedures (TTPs), allowing defenders to identify coverage gaps in their security postures and prioritize mitigation efforts. By populating the grid with TTPs derived from real-world observations, the matrices support strategic planning, such as aligning detection rules with potential intrusion paths and assessing the completeness of defensive controls. This structured mapping enhances threat modeling and response efficacy without prescribing specific implementations.[7] Common elements across the matrices include color-coding to indicate levels of defensive coverage or technique applicability, hyperlinks to detailed technique descriptions, and interactive navigation tools on the official ATT&CK website for filtering by platform or browsing related resources. These features promote efficient exploration and integration into tools like threat intelligence platforms, ensuring users can drill down from the overview grid to actionable insights.[10] While sharing this core grid structure, the matrices differ based on the target environment: the enterprise matrix addresses information technology and cloud systems, the mobile matrix focuses on endpoint devices like smartphones, and the industrial control systems (ICS) matrix targets operational technology in critical infrastructure. These variations tailor the organization of TTPs to environment-specific behaviors, maintaining consistency in the tactical and technical hierarchy across domains.[7]Tactics, Techniques, and Procedures
In the MITRE ATT&CK framework, tactics represent the adversary's tactical objectives, or the "why" behind their actions, providing a high-level categorization of behaviors across the attack lifecycle.[6] For the enterprise matrix, there are 14 core tactics, including Reconnaissance (TA0043), where adversaries gather target information; Initial Access (TA0001), focusing on gaining entry to networks; Execution (TA0002), involving the running of malicious code; Persistence (TA0003), to maintain access; Privilege Escalation (TA0004), for obtaining higher permissions; Defense Evasion (TA0005), to avoid detection; Credential Access (TA0006), targeting account credentials; Discovery (TA0007), exploring the environment; Lateral Movement (TA0008), navigating within networks; Collection (TA0009), aggregating data; Command and Control (TA0011), enabling communication with compromised systems; Exfiltration (TA0010), for data theft; Impact (TA0040), to disrupt or destroy assets; and Resource Development (TA0042), for preparing operational resources.[11] These tactics operationalize threat modeling by sequencing adversary goals, allowing defenders to anticipate and prioritize responses based on observed behaviors. Techniques within ATT&CK describe the specific methods, or "how," adversaries achieve a tactic's objective, each assigned a unique identifier (ID) for precise reference.[6] For instance, under the Execution tactic (TA0002), Technique T1059 (Command and Scripting Interpreter) details how adversaries leverage interpreters like PowerShell, Python, or Windows Command Shell to execute commands, scripts, or binaries, often for initial payload delivery or remote control.[12] Techniques are further refined into sub-techniques for granularity, such as T1059.001 (PowerShell), emphasizing platform-specific implementations, and they form the core of ATT&CK's behavioral knowledge base, enabling consistent classification of adversary actions across incidents. Procedures extend techniques by capturing real-world, specific implementations tied to observed adversary activity, often linked to threat actors or groups.[2] For example, the Russian-linked group APT28 (also known as Sofacy or Fancy Bear, G0007) has employed Procedure T1134.001 (Access Token Manipulation: Token Impersonation/Theft) by exploiting CVE-2015-1701 to steal SYSTEM tokens for privilege escalation in Windows environments.[13] Another instance involves APT28 using T1098.002 (Account Manipulation: Additional Email Delegate Permissions) via PowerShell cmdlets to assign impersonation roles in Microsoft Exchange for sustained access.[13] These procedures ground ATT&CK in empirical evidence, illustrating how abstract techniques manifest in campaigns and supporting attribution to actors like APT28 through documented implementations.[2] ATT&CK operationalizes TTPs through rich interconnections that enhance threat modeling and defensive analysis. Techniques map to adversary groups, such as T1059 being associated with APT19 (G0073) for downloading code via scriptlets or APT32 (G0050) for Cobalt Strike deployments, facilitating actor profiling and trend identification.[12] Similarly, techniques link to software tools, like Mimikatz (S0002) under Credential Access tactics for pass-the-hash procedures, allowing tracking of malware evolution. Defensive mappings include mitigations, such as M1038 (Execution Prevention) using application control or PowerShell Constrained Language Mode to restrict interpreter execution, and detections, like monitoring anomalous PowerShell activity for T1059.001, which integrate TTPs into security operations for proactive countermeasures.[12] These relationships form a navigable graph, visualized in ATT&CK matrices to reveal dependencies and coverage gaps.[6]Enterprise Matrix
Overview and Scope
The MITRE ATT&CK Enterprise Matrix provides a comprehensive framework for understanding and modeling adversary behaviors in enterprise IT environments, primarily targeting network-based intrusions that span pre-compromise and post-compromise phases.[10] It emphasizes the tactics, techniques, and procedures (TTPs) used by advanced persistent threats (APTs) and other cyber adversaries to infiltrate, persist, and achieve objectives within organizational networks, drawing from real-world observations to support defensive strategies.[7] The matrix is designed for IT infrastructures including endpoints, servers, and networked systems, enabling cybersecurity professionals to map threat activities across the attack lifecycle.[14] As of version 18 (October 2025), the Enterprise Matrix organizes adversary behaviors into 14 tactics, ranging from Reconnaissance to Impact, encompassing 216 techniques and 475 sub-techniques that detail specific methods for execution.[15] These elements cover a broad spectrum of intrusion activities, such as initial access through phishing or exploiting public-facing applications, lateral movement within networks, and exfiltration of sensitive data, all grounded in documented adversary campaigns.[10] The framework's scope extends beyond traditional on-premises setups to include adaptations for modern hybrid environments, supporting platforms like Windows, macOS, and Linux operating systems.[16] In cloud-centric deployments, the matrix addresses threats specific to infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) models, including examples for AWS, Azure, Google Cloud Platform (GCP), and Office 365, where adversaries might abuse misconfigurations or identity services for persistence.[10] A distinctive feature is its inclusion of "left-of-exploit" activities—pre-compromise reconnaissance and resource development—to highlight early detection opportunities, integrated with endpoint detection and response (EDR) tools for mapping observed behaviors to TTPs.[17] This holistic coverage facilitates proactive threat hunting and mitigation in diverse enterprise contexts without overlapping into specialized domains like mobile or industrial control systems.[18]Key Tactics
The MITRE ATT&CK Enterprise Matrix defines 14 core tactics that model the stages of adversary operations in a cyber attack lifecycle, progressing from pre-compromise activities to post-exploitation impacts on target environments. These tactics provide a structured view of how adversaries achieve their objectives, with each encompassing specific techniques that adversaries may employ. The sequence emphasizes the logical flow of an attack, starting with information gathering and resource preparation, moving through access and execution, and culminating in data theft or disruption.[10]- Reconnaissance (TA0043): Adversaries gather victim and network information to plan and support future operations, often involving external research or scanning. This tactic includes techniques, such as active scanning (T1595) and gather victim host information (T1592).[19]
- Resource Development (TA0042): Adversaries establish capabilities and infrastructure, like acquiring domains or developing malware, to enable subsequent attack phases. This tactic includes techniques, such as develop capabilities (T1587) and obtain capabilities (T1588).[20]
- Initial Access (TA0001): Adversaries gain an initial foothold in the target environment, typically by exploiting vulnerabilities or tricking users. This tactic includes techniques, such as phishing (T1566) and drive-by compromise (T1189).[21]
- Execution (TA0002): Adversaries run malicious code on compromised systems to achieve their goals, using various interpreters or user interactions. This tactic includes techniques, such as command and scripting interpreter (T1059) and user execution (T1204).
- Persistence (TA0003): Adversaries maintain access to systems across restarts, sessions, or disruptions to ensure continued presence. This tactic includes techniques, such as boot or logon autostart execution (T1547) and scheduled task/job (T1053).
- Privilege Escalation (TA0004): Adversaries gain higher-level permissions to access restricted resources or perform privileged actions. This tactic includes techniques, such as exploitation for privilege escalation (T1068) and abuse elevation control mechanism (T1548).
- Defense Evasion (TA0005): Adversaries avoid or circumvent detection and analysis to blend into normal activity and evade security controls. This tactic includes techniques, such as impair defenses (T1562) and obfuscated files or information (T1027).
- Credential Access (TA0006): Adversaries steal account credentials to impersonate legitimate users or escalate access. This tactic includes techniques, such as OS credential dumping (T1003) and adversary-in-the-middle (T1557).
- Discovery (TA0007): Adversaries explore the target environment to identify useful information, systems, or weaknesses for further exploitation. This tactic includes techniques, such as system information discovery (T1082) and network service discovery (T1046).
- Lateral Movement (TA0008): Adversaries move between compromised systems within the network to expand access or reach objectives. This tactic includes techniques, such as remote services (T1021) and lateral tool transfer (T1570).
- Collection (TA0009): Adversaries gather data of interest from the target environment for exfiltration or analysis. This tactic includes techniques, such as data from local system (T1005) and automated collection (T1119).
- Command and Control (TA0011): Adversaries establish and maintain communication channels with compromised systems to control operations. This tactic includes techniques, such as application layer protocol (T1071) and proxy (T1090).
- Exfiltration (TA0010): Adversaries transfer data from the victim environment to external systems under their control. This tactic includes techniques, such as exfiltration over C2 channel (T1041) and exfiltration over web service (T1567).
- Impact (TA0040): Adversaries manipulate, interrupt, or destroy systems and data to achieve disruptive effects or hinder recovery. This tactic includes techniques, such as inhibit system recovery (T1490) and data destruction (T1485).