MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
Tools
- MITRE Attack Navigator – track progress on testing
- Atomic Red Team – library of tests mapped to the MITRE ATT&CK framework
- ThreatActors-TTPs (GitHub)
- Cymulate ($$$) – Scripts/Payloads for the MITRE ATT&CK framework
- Prelude
Definitions
Tactics, techniques, and procedures (TTP).
| Component | Description | Example |
|---|---|---|
| Tactics (TA0006) Why? | Adversary’s tactical goal: the reason for performing an action (technique). | The adversary may want to achieve credential access. |
| Techniques (T1003) How? | How the adversary achieves a tactical goal by performing an action. | Dump credentials to achieve credential access. |
| Sub-techniques (T1003.004) | More specific or lower-level description of adversarial behavior. | Dump credentials by accessing the Local Security Authority (LSA) Secrets. |
| Procedures (S0677 …) (G0016 …) | Specific implementation or in-the-wild use the adversary uses for techniques or sub-techniques. | The adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. |