What You'll Learn
- Understand what the MITRE ATT&CK framework is and why every SOC in the world uses it
- Navigate the ATT&CK Matrix and distinguish between Tactics, Techniques, and Sub-techniques
- Map real-world alerts and incidents to specific ATT&CK technique IDs
- Use ATT&CK to improve detection coverage, write better escalation notes, and communicate with precision
- Understand how ATT&CK integrates with the tools in CyberBlueSOC (Wazuh, Sigma, MISP, TheHive)
What Is MITRE ATT&CK?
In the previous lesson, you learned two frameworks for understanding attacks: the Kill Chain (sequence) and the Diamond Model (components). Now we introduce the framework that every modern SOC uses daily: MITRE ATT&CK.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It's a globally accessible, continuously updated knowledge base of adversary behavior based on real-world observations. Developed and maintained by The MITRE Corporation (a US federally funded non-profit), ATT&CK catalogs how attackers operate — not theoretically, but based on documented intrusions.
ATT&CK is the universal language of cyber defense. When a SOC analyst in Tokyo says "T1059.001," an analyst in London knows exactly what that means: PowerShell execution.
Here's what makes ATT&CK different from the Kill Chain:
| Feature | Cyber Kill Chain | MITRE ATT&CK |
|---|---|---|
| Scope | 7 high-level stages | 14 tactics, 200+ techniques, 400+ sub-techniques |
| Granularity | Broad phases | Specific, actionable behaviors |
| Updates | Static since 2011 | Updated multiple times per year |
| Mapping | Describes the attack lifecycle | Describes exactly what the attacker does at each step |
| Usage | Strategic understanding | Tactical detection, hunting, and reporting |
ATT&CK doesn't replace the Kill Chain — it supercharges it. While the Kill Chain tells you "the attacker is in the Exploitation stage," ATT&CK tells you "the attacker used T1566.001 (Spearphishing Attachment) to deliver a macro-enabled document that executes T1059.001 (PowerShell)."
Real-World Adoption: ATT&CK is used by over 80% of enterprise SOCs worldwide. Major SIEM vendors (Splunk, Microsoft Sentinel, Elastic, Wazuh) map their detection rules to ATT&CK technique IDs. Threat intelligence platforms (MISP, Recorded Future, CrowdStrike) tag indicators with ATT&CK techniques. Job postings for SOC analysts increasingly list "MITRE ATT&CK proficiency" as a required skill.
The ATT&CK Matrix: Structure and Navigation
The ATT&CK Matrix is organized as a table where columns are Tactics (the "why") and cells within columns are Techniques (the "how"). Understanding this structure is the key to fluency.
Tactics: The Adversary's Goals
Tactics represent the adversary's objective at each stage of an operation. There are 14 Enterprise tactics, and they roughly follow the progression of an attack (though attackers don't always follow them in order):
| # | Tactic ID | Tactic Name | What the Attacker Wants |
|---|---|---|---|
| 1 | TA0043 | Reconnaissance | Gather information to plan the attack |
| 2 | TA0042 | Resource Development | Build infrastructure and capabilities |
| 3 | TA0001 | Initial Access | Get into the target network |
| 4 | TA0002 | Execution | Run malicious code |
| 5 | TA0003 | Persistence | Maintain access across reboots/credential changes |
| 6 | TA0004 | Privilege Escalation | Get higher-level permissions |
| 7 | TA0005 | Defense Evasion | Avoid detection |
| 8 | TA0006 | Credential Access | Steal usernames and passwords |
| 9 | TA0007 | Discovery | Learn about the environment |
| 10 | TA0008 | Lateral Movement | Move through the network |
| 11 | TA0009 | Collection | Gather data of interest |
| 12 | TA0011 | Command and Control | Communicate with compromised systems |
| 13 | TA0010 | Exfiltration | Steal data out of the network |
| 14 | TA0040 | Impact | Destroy, disrupt, or manipulate systems/data |
Memory Aid: Think of tactics as chapters in the attacker's playbook. Each chapter has a goal: "get in" (Initial Access), "stay in" (Persistence), "move around" (Lateral Movement), "steal stuff" (Exfiltration). When you're triaging an alert, the first question is: which tactic is this? That immediately tells you how serious and how far along the attack is.
Techniques: The Specific Methods
Under each tactic, Techniques describe the specific methods attackers use to achieve that goal. Each technique has a unique ID starting with T followed by a four-digit number.
For example, under the Initial Access tactic (TA0001):
| Technique ID | Technique Name | Description |
|---|---|---|
| T1566 | Phishing | Using deceptive messages to gain access |
| T1190 | Exploit Public-Facing Application | Attacking vulnerabilities in internet-facing systems |
| T1133 | External Remote Services | Accessing VPNs, RDP, Citrix from outside |
| T1195 | Supply Chain Compromise | Compromising a trusted vendor/software |
| T1078 | Valid Accounts | Using legitimate stolen credentials |
| T1189 | Drive-by Compromise | Compromising via a visited website |
Sub-Techniques: The Precise Variant
Many techniques have Sub-techniques that describe more specific variants. Sub-techniques use the parent technique ID plus a decimal and a three-digit number.
T1566 — Phishing breaks down into:
| Sub-technique ID | Name | What It Means |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Malicious file attached to a targeted email |
| T1566.002 | Spearphishing Link | Malicious URL in a targeted email |
| T1566.003 | Spearphishing via Service | Phishing through LinkedIn, Slack, Teams, etc. |
| T1566.004 | Spearphishing Voice | Vishing — social engineering over phone calls |
This three-level hierarchy — Tactic → Technique → Sub-technique — gives you the precision to describe any adversary behavior. When you write "T1566.001" in an escalation note, every analyst in the world knows you mean a targeted phishing email with a malicious attachment.
Reading an ATT&CK Technique Page
Every technique in ATT&CK has a detailed page on attack.mitre.org that provides critical context. Learning to read these pages is an essential analyst skill.
Key Sections of a Technique Page
Let's walk through T1059.001 — Command and Scripting Interpreter: PowerShell as an example:
1. Description A plain-language explanation of what the technique is and how adversaries use it. For PowerShell, this explains that attackers abuse the legitimate scripting engine to execute commands, download payloads, and interact with system APIs.
2. Sub-techniques Lists all variants. T1059 (Command and Scripting Interpreter) has sub-techniques for PowerShell (.001), AppleScript (.002), Windows Command Shell (.003), Unix Shell (.004), Python (.005), JavaScript (.007), and more.
3. Procedure Examples Real-world cases where threat groups used this technique. For T1059.001, you'll see entries like:
- APT29 used PowerShell to download and execute Cobalt Strike payloads
- FIN7 executed PowerShell scripts to steal payment card data
- Lazarus Group used encoded PowerShell commands to establish C2
4. Mitigations Recommended defenses. For PowerShell: enable Script Block Logging, use Constrained Language Mode, restrict PowerShell execution policies, deploy application whitelisting.
5. Detection Specific data sources and methods to detect this technique. For PowerShell:
- Monitor
Process Creationevents where powershell.exe or pwsh.exe spawns - Enable and collect
Script Block Logging(Event ID 4104) - Watch for encoded commands (
-EncodedCommandor-encparameter) - Correlate with parent process — PowerShell spawned by Word is suspicious
Common Mistake: New analysts often memorize technique IDs without reading the full pages. The real value is in the Procedure Examples (tells you which threat groups use this technique and how) and Detection sections (tells you exactly what to look for in your logs). When you encounter a new technique during an investigation, always pull up the ATT&CK page — it's your cheat sheet for what to investigate next.
How SOC Analysts Use ATT&CK Daily
ATT&CK isn't an academic exercise — it's a practical tool you'll use every shift. Here's how it fits into daily SOC operations:
1. Alert Triage: Identifying the Technique
When an alert fires, one of the first things you do is identify the ATT&CK technique. Many SIEMs already map alerts to techniques:
ALERT: Suspicious PowerShell Activity
Rule: Wazuh Rule 92000 — PowerShell with encoded command detected
ATT&CK: T1059.001 (Execution — PowerShell)
Severity: High
Source: WORKSTATION-PC42
User: john.smith
Process: powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATw...
Parent Process: WINWORD.EXE
The ATT&CK mapping immediately tells you:
- Tactic = Execution — the attacker is trying to run malicious code
- Technique = T1059.001 — specifically using PowerShell
- Parent process = WINWORD.EXE — Word spawning PowerShell is a classic indicator of a malicious macro (ties back to T1566.001 Spearphishing Attachment for Initial Access)
Without ATT&CK, this is just "a PowerShell alert." With ATT&CK, you instantly have context, know what to investigate next, and can predict what the attacker will do after (likely T1105 — Ingress Tool Transfer to download additional tools).
2. Escalation: Speaking ATT&CK
When you escalate to L2, ATT&CK gives you a precise vocabulary:
Without ATT&CK:
"Hey, there's a weird PowerShell alert on PC42. Word opened and then PowerShell did something encoded. Looks suspicious."
With ATT&CK:
"PC42 triggered T1059.001 (PowerShell execution) with an encoded command, spawned by WINWORD.EXE, suggesting initial access via T1566.001 (Spearphishing Attachment). User john.smith in finance. Recommend investigating for T1105 (Ingress Tool Transfer) and T1547 (Boot/Logon Autostart Execution) for persistence. Escalating as likely true positive — early-stage compromise."
The second version tells L2 exactly what happened, what techniques were involved, and what to look for next. This is the difference between a junior analyst and a professional.
3. Detection Coverage Assessment
ATT&CK lets you measure your SOC's detection coverage against the full matrix. Using the ATT&CK Navigator (which is part of CyberBlueSOC), you can create a heatmap:
- Green cells — techniques you have detection rules for
- Yellow cells — partial coverage (some sub-techniques detected)
- Red/empty cells — no detection capability
This visual gap analysis shows leadership exactly where the organization is blind. It's also how L3 detection engineers prioritize which new Sigma/YARA rules to write.
4. Threat Intelligence Enrichment
When you receive a threat intelligence report about a new threat group targeting your industry, ATT&CK provides a common mapping:
APT28 (Fancy Bear) — associated techniques: T1566.001, T1059.001, T1053.005, T1078, T1070.004, T1071.001, T1027, T1083
You can immediately overlay this on your Navigator heatmap to answer: "Do we detect APT28's known techniques?" If you find gaps, you know exactly which detection rules to build before they target you.
5. Incident Reporting
Every incident report should include ATT&CK mappings. This standardizes reporting across the organization and makes trends visible:
INCIDENT REPORT — INC-2026-0142
Date: 2026-02-15
Severity: High
ATT&CK Techniques Observed:
- T1566.001 — Spearphishing Attachment (Initial Access)
- T1059.001 — PowerShell (Execution)
- T1105 — Ingress Tool Transfer (Command and Control)
- T1053.005 — Scheduled Task (Persistence)
- T1003.001 — LSASS Memory Dump (Credential Access)
- T1021.001 — Remote Desktop Protocol (Lateral Movement)
Kill Chain Stage Reached: Lateral Movement (Stage 6 of 7)
Dwell Time: 4.5 hours (detected at C2 stage)
Outcome: Contained before exfiltration
Integration with CyberBlueSOC: In your lab environment, Wazuh maps its alerts to ATT&CK technique IDs automatically. TheHive lets you tag cases with ATT&CK techniques. MISP links threat intelligence indicators to techniques. The ATT&CK Navigator lets you build and share coverage heatmaps. Every tool in the platform speaks ATT&CK — and after this lesson, so will you.
ATT&CK Beyond Enterprise
While this course focuses on the Enterprise matrix (Windows, Linux, macOS, Cloud, Network, Containers), MITRE maintains additional matrices:
| Matrix | What It Covers | When SOC Analysts Use It |
|---|---|---|
| Enterprise | Corporate IT — endpoints, servers, cloud, network | 95% of daily SOC work |
| Mobile | iOS and Android device attacks | Mobile device management (MDM) alerts |
| ICS | Industrial Control Systems (SCADA, PLCs) | Critical infrastructure / OT security |
Each matrix has its own tactics and techniques tailored to the environment. For this course, we focus exclusively on Enterprise, but the concepts transfer directly.
Common ATT&CK Techniques Every Analyst Must Know
You don't need to memorize all 200+ techniques on day one. But these are the ones you'll see every week in a SOC:
Initial Access
| ID | Name | Why It's Common |
|---|---|---|
| T1566.001 | Spearphishing Attachment | #1 delivery method for targeted attacks |
| T1566.002 | Spearphishing Link | Credential harvesting via fake login pages |
| T1078 | Valid Accounts | Stolen credentials bypass most controls |
| T1190 | Exploit Public-Facing Application | Unpatched VPNs, web apps, and mail servers |
Execution
| ID | Name | Why It's Common |
|---|---|---|
| T1059.001 | PowerShell | The Swiss Army knife of post-exploitation on Windows |
| T1059.003 | Windows Command Shell | cmd.exe — basic but ubiquitous |
| T1204.002 | User Execution: Malicious File | User opens the weaponized document/EXE |
Persistence
| ID | Name | Why It's Common |
|---|---|---|
| T1053.005 | Scheduled Task | Easy to create, hard to spot among legitimate tasks |
| T1547.001 | Registry Run Keys | Classic autostart persistence on Windows |
| T1505.003 | Web Shell | Persistent backdoor on compromised web servers |
Credential Access
| ID | Name | Why It's Common |
|---|---|---|
| T1003.001 | LSASS Memory | Dumping credentials from memory (Mimikatz) |
| T1110 | Brute Force | Automated password guessing — constant noise |
| T1558.003 | Kerberoasting | Extracting service account hashes from Active Directory |
Lateral Movement
| ID | Name | Why It's Common |
|---|---|---|
| T1021.001 | Remote Desktop Protocol | RDP is everywhere; workstation-to-workstation = red flag |
| T1021.002 | SMB/Windows Admin Shares | PsExec and similar tools use admin shares |
| T1550.002 | Pass the Hash | Reusing stolen NTLM hashes without cracking them |
Critical Pattern: The most dangerous attack chain in enterprise environments goes: T1566.001 → T1059.001 → T1053.005 → T1003.001 → T1021.001 → Exfiltration. That's: phishing email delivers a macro → PowerShell executes → scheduled task for persistence → Mimikatz dumps credentials → RDP lateral movement → data stolen. Learn to recognize these techniques individually and you'll recognize the chain when it happens. You'll build detection rules for each of these in Modules 7 and 8.
Hands-On: Mapping an Alert to ATT&CK
Let's practice the core skill. Here's a real alert — map it to ATT&CK:
ALERT: New Scheduled Task Created
Time: 2026-02-15 03:42:17 UTC
Host: SRV-WEB-01
User: NT AUTHORITY\SYSTEM
Event: schtasks.exe /create /tn "WindowsUpdate" /tr
"powershell.exe -w hidden -enc <base64>" /sc daily /st 03:30
Parent Process: w3wp.exe (IIS Worker Process)
Step 1: Identify the primary technique A scheduled task is being created → T1053.005 — Scheduled Task/Job: Scheduled Task (Tactic: Persistence)
Step 2: Identify supporting techniques
The task runs PowerShell with a hidden window and encoded command → T1059.001 — PowerShell (Tactic: Execution)
The -w hidden flag hides the window → T1564.003 — Hidden Window (Tactic: Defense Evasion)
Step 3: Identify the parent process context Created by w3wp.exe (IIS web server) → This suggests T1505.003 — Web Shell (Tactic: Persistence) or T1190 — Exploit Public-Facing Application (Tactic: Initial Access)
Step 4: Build the attack narrative The web server was likely compromised (Initial Access via T1190 or web shell T1505.003). The attacker used the web server's SYSTEM privileges to create a scheduled task (Persistence via T1053.005) that runs encoded PowerShell daily (Execution via T1059.001) with a hidden window (Defense Evasion via T1564.003).
Step 5: Predict what comes next After establishing persistence, expect: T1003 (Credential Access) to dump credentials, T1007 (Discovery) to enumerate the environment, and T1021 (Lateral Movement) to reach other systems.
Practice This: Every time you triage an alert — even routine ones — take 30 seconds to identify the ATT&CK technique. Within a month, you'll recognize common techniques instantly and your triage speed will double. This is the single fastest way to level up from a checkbox L1 to a dangerous analyst.
Key Takeaways
- MITRE ATT&CK is the universal framework for describing adversary behavior — 14 tactics, 200+ techniques, 400+ sub-techniques
- Tactics are the attacker's goals (the "why"); Techniques are the specific methods (the "how"); Sub-techniques are precise variants
- Every technique has a unique ID (e.g., T1059.001) that is understood globally across all SOCs
- Technique pages include Procedure Examples (real threat group usage) and Detection guidance (what to look for in logs)
- SOC analysts use ATT&CK for: alert triage, precise escalation, detection coverage assessment, threat intel mapping, and incident reporting
- The most critical techniques to know immediately: T1566 (Phishing), T1059 (Scripting), T1053 (Scheduled Tasks), T1003 (Credential Dumping), T1021 (Lateral Movement)
- CyberBlueSOC tools all speak ATT&CK: Wazuh maps alerts, TheHive tags cases, MISP links indicators, Navigator visualizes coverage
What's Next
You now have the three foundational frameworks that every SOC analyst needs: the Kill Chain (attack sequence), the Diamond Model (attack components), and MITRE ATT&CK (attack specifics). In the next lesson — Your Weapon System: CyberBlueSOC — you'll get a hands-on walkthrough of every tool in the platform and see how they integrate to give you visibility across the entire ATT&CK matrix. That lesson sets you up for Module 2, where you dive deep into the SIEM.
Knowledge Check: MITRE ATT&CK for Defenders
10 questions · 70% to pass
In Lab 1.2, you mapped APT29 techniques to the ATT&CK Navigator. When you examined T1003.001 (LSASS Memory Dump) under Credential Access, what does this technique allow the attacker to accomplish?
In the ATT&CK framework, what is the relationship between Tactics and Techniques?
A Wazuh alert shows PowerShell executing an encoded command, spawned by WINWORD.EXE. Which TWO ATT&CK techniques are most relevant?
In Lab 1.2's APT29 scenario, the attackers progressed from spearphishing through execution, persistence, and credential access before stealing data. Which ATT&CK tactic specifically describes the adversary's goal of transferring stolen data out of the network?
How does ATT&CK improve escalation communication between L1 and L2 analysts?
What is the ATT&CK Navigator primarily used for in SOC operations?
An alert shows a new scheduled task created by w3wp.exe (IIS) at 3:42 AM that runs hidden PowerShell with an encoded command. Which tactic does the scheduled task creation primarily represent?
During Lab 1.2, you created a coverage heatmap in the ATT&CK Navigator for APT29 techniques. A technique cell colored green indicates what?
You receive a threat intelligence report that APT28 uses techniques T1566.001, T1059.001, and T1003.001. How should you use this information?
Which of these is the most dangerous attack chain in enterprise environments?
0/10 answered