ASSURED

MITRE ATT&CK

Three matrices, four components

🏒 Enterprise

Techniques targeting corporate environments across Windows, macOS, Linux, cloud services, and network infrastructure. The most widely used matrix.

πŸ“± Mobile

Specialized framework documenting threats against Android and iOS mobile ecosystems.

βš™οΈ ICS

Dedicated matrix for industrial control systems and operational technology environments with unique safety and availability challenges.

The four levels

Tactics

The why

The adversary’s strategic objectives. Categories representing the β€œwhy” behind each phase of an attack. Things like Initial Access, Persistence, Defense Evasion, Impact.

Techniques

The how

The specific method used to accomplish a tactic. Each technique has a unique ID (e.g., T1566 for Phishing). Granular enough to map to detection rules and to teach analysts what to look for.

Sub-techniques

The how, narrower

Granular variations of a parent technique with distinct characteristics. T1566 (Phishing) has sub-techniques T1566.001 (Attachment), T1566.002 (Link), T1566.003 (via Service).

Procedures

The exact thing

Documented examples of techniques as implemented by specific threat actors in observed attacks. The granular operational steps that distinguish one actor from another.

The 12 tactics

Tactics are the strategic objectives an adversary pursues during an intrusion. Adversaries rarely progress linearly through all 12, and they may revisit phases multiple times during a single campaign. Identifying which tactic you are observing is what tells you which countermeasures apply.

TA0001

Initial access

Techniques to gain entry. Exploiting external apps, phishing, leveraging trusted relationships.

TA0002

Execution

Running adversary-controlled code. Command lines, PowerShell, malicious macros.

TA0003

Persistence

Maintaining access across restarts, credentials, or interruptions. Scheduled tasks, startup items, backdoors.

TA0004

Privilege escalation

Getting higher-level permissions. Vulnerability exploits, token manipulation, UAC bypass.

TA0005

Defense evasion

Avoiding detection. Disabling tools, obfuscating files, leveraging legitimate credentials.

TA0006

Credential access

Stealing account names and passwords. Keylogging, credential dumping, brute force.

TA0007

Discovery

Learning about the environment. Network scanning, account enumeration, system info gathering.

TA0008

Lateral movement

Moving through the environment. Remote services, internal spearphishing, pass-the-hash.

TA0009

Collection

Gathering data of interest. Screen capture, local system data, browser data.

TA0011

Command and control

Communicating with controlled systems. Encrypted channels, web services, custom protocols.

TA0010

Exfiltration

Stealing data. Alternative protocols, scheduled transfers, physical removal.

TA0040

Impact

Disrupting availability or integrity. Ransomware encryption, defacement, data destruction.

Major techniques per tactic

Hundreds of techniques exist across the matrix. These are the ones an analyst should recognize on sight; each has a stable ID that travels well in handoffs.

Initial access

  • T1566 Phishing
  • T1190 Exploit Public-Facing Application
  • T1133 External Remote Services
  • T1659 Content Injection

Execution

  • T1059 Command and Scripting Interpreter
  • T1106 Native API
  • T1204 User Execution

Persistence

  • T1547 Boot or Logon Autostart Execution
  • T1136 Create Account
  • T1098 Account Manipulation

Privilege escalation

  • T1548 Abuse Elevation Control Mechanism
  • T1134 Access Token Manipulation
  • T1068 Exploitation for Privilege Escalation

Defense evasion

  • T1027 Obfuscated Files or Information
  • T1070 Indicator Removal on Host
  • T1055 Process Injection

Credential access

  • T1003 OS Credential Dumping
  • T1110 Brute Force
  • T1056 Input Capture

Discovery

  • T1018 Remote System Discovery
  • T1087 Account Discovery
  • T1082 System Information Discovery

Lateral movement

  • T1021 Remote Services
  • T1550 Use Alternate Authentication Material
  • T1091 Replication Through Removable Media

Collection

  • T1557 Adversary-in-the-Middle
  • T1119 Automated Collection
  • T1113 Screen Capture

Command & control

  • T1071 Application Layer Protocol
  • T1573 Encrypted Channel
  • T1105 Ingress Tool Transfer

Exfiltration

  • T1041 Exfiltration Over C2 Channel
  • T1048 Exfiltration Over Alternative Protocol
  • T1567 Exfiltration Over Web Service

Impact

  • T1486 Data Encrypted for Impact
  • T1485 Data Destruction
  • T1491 Defacement

Procedures: how specific actors implement techniques

Procedures represent the specific implementations of techniques used by threat actors or Malware Software whose author intends harm: ransomware, trojans, worms, viruses, spyware, wipers, rootkits, RATs. The B.A.D. glossary catalogs the families in detail. families. While multiple adversaries may employ identical techniques, their procedural implementations often differ significantly based on sophistication, resources, and intent.

APT29 (Cozy Bear)

T1566.001, Spearphishing Attachment

Uses legitimate cloud storage services to host malware. Sends targeted emails with links to documents containing malicious macros. Macros establish persistence using WMI event subscriptions and execute PowerShell commands for C2 communication.

FIN7

T1059.001, PowerShell

Deploys heavily obfuscated PowerShell scripts via phishing attachments. Multiple layers of encoding evade detection. Scripts create scheduled tasks for persistence and inject Carbanak malware directly into memory.

Lazarus Group

T1068, Exploitation for Privilege Escalation

Exploits Windows privilege-escalation vulnerabilities using custom exploit code. Combines multiple vulnerabilities in sequence and employs anti-forensic techniques to hide exploitation artifacts.

Why procedural variation matters

Two actors might both leverage PowerShell for Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. (T1059.001) but with very different procedural choices.

One actor might deploy heavily obfuscated scripts with encrypted payloads, prioritizing stealth at the cost of speed. Another might use simpler one-liners that finish quickly but show plainly in logs.

Procedural patterns are what link an investigation to a known Threat Actor Individual or group that conducts malicious activities targeting information systems or networks. when multiple groups use the same technique. They are also what tell defenders which detection rule is going to fire and which is going to miss.

How an analyst uses ATT&CK during Uncover

πŸ“Œ During Uncover

Map each observed behavior to its ATT&CK technique. The chain of techniques becomes the investigation’s narrative spine.

🀝 For handoff

Naming techniques lets the IR team start work from a shared model rather than re-reading the analyst’s notes.

πŸ”§ For detection engineering

When a technique was observed but not detected automatically, that gap is the feature request for a new rule.

πŸ“ˆ For trend analysis

Tagging cases with techniques over time shows what the SOC sees most often, which feeds prioritization.

πŸ“Š For executive communication

ATT&CK gives technical teams a vocabulary executive leadership recognizes after one orientation. Bridges tactical and strategic conversations.

🎯 For gap analysis

Mapping defensive coverage against the matrix surfaces where detection is strong and where it is thin. Drives investment decisions.

Next up

Tool integration

The tools that make Uncover possible at scale: SIEM, EDR, network analysis, deception, forensics, SOAR.

Read tool integration