analysing-attack
Analysing ATT&CK Tactics and Techniques
Overview
This document provides best practices and resources for use when mapping ATT&CK tactics and techniques to threat detections, threat models, security risks or cyber threat intelligence.
Contains information on v18.1 (latest) version of Mitre ATT&CK
Available Resources
Resources folder contains LLM optimised and token-efficient content. Read whole file for broad context or grep or glob for specfic keywords or IDs. Use index files for quick reference keyword searches.
Tactics are abreviated: REC=Reconnaissance, RD=Resource Development, IA=Initial Access, EX=Execution, PE=Persistence, PRV=Privilege Escalation, DE=Defense Evasion, CA=Credential Access, DIS=Discovery, LM=Lateral Movement, COL=Collection, C2=Command and Control, EXF=Exfiltration, IMP=Impact
Searching Examples
By keyword (recommended for discovery):
grep -i "cron\|bash\|/proc/\|cryptocurrency" resources/attack_keywords.idx
By technique ID (for validation):
grep "T1053" resources/attack_techniques.md
By tactic abbreviation (find all persistance techniques):
grep "PE" resources/attack_techniques.md
Resource Files
ATT&CK Technique Keyword Index: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> resources/attack_keywords.idx
ATT&CK Technique List: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> resources/attack_techniques.md
ATT&CK Version Changelog: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> resources/attack_version_changelog.md
Best Practice
Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.
- Do not assume your knowledge is 100% complete or up to date. Use the resources provided
- Carefully read any supplied information, perform deep analysis line by line if needed
- Search broadly for keywords, you may need to iterate multiple times to find every correct technique
- Think about the specific procedure being performed and consider the attacker (or defender) intent before determining appropriate tactic, technique or sub-technique
- Some techniques are part of multiple tactics (for ex. T1078 Valid Accounts) and may appear different for each tactic
- Other techniques are similar but distinct depending on tactic (for ex. T1213.003 and T1593.003 are both Code Respositories)
- Map to the most specific sub-technique when possible
When Analysing CTI Reports
- IMPORTANT: Read the whole report fully, including tables of IOCs, appendixes or linked STIX files
- Screenshots contain valuable intelligence, ensure they are processed
- Break down the report into granular procedures when mapping to techniques
- Think about attacker objectives. What did they take that action? What did they hope to achieve?
- Avoid infering techniques that are not contained in the report
- Once initial analysis is complete, perform a second analysis to valdiate your findings and idenitify any missed techniques
When Analysing Detections
- Detection logic may detect multiple techniques, map all that are applicable
- Analyse detection log sources and fields, these can help determine distinct tactics or techniques
- Consider the intent (hypothesis) of the detection, what was the engineers objective?
Commonly Missed Techniques
Command-Line Indicators
-windowstyle hidden|-w hidden -> T1564.003 Hidden Window
-encodedcommand|-enc|base64 -> T1027.010 Command Obfuscation
-noprofile|-ep bypass -> T1059.001 PowerShell
Encoding
Encoded payload delivered -> T1027.013 Encrypted/Encoded File Decoded at runtime -> T1140 Deobfuscate/Decode
RDP-Related
RDP connection|.rdp file -> T1021.001 Remote Desktop Protocol
Clipboard redirect -> T1115 Clipboard Data
Drive mapping|attached drives -> T1039 Data from Network Shared Drive
Auth redirect|intercept -> T1557 Adversary-in-the-Middle
Infrastructure
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services Typosquat|lookalike domain -> T1583.001 Domains Compromised server -> T1584.004 Server
Network
SSH tunnel|port forward -> T1572 Protocol Tunneling Downloaded|fetched payload -> T1105 Ingress Tool Transfer Over port 80/443 -> T1071.001 Web Protocols
Social Engineering
Masqueraded|posed as|impersonated -> T1656 Impersonation Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)
Technique Pairs
T1566 Spearphishing -> check T1204 User Execution T1027 Obfuscation -> check T1140 Deobfuscation T1053 Scheduled Task -> check T1059 Interpreter T1021.001 RDP -> check T1115, T1039, T1557 T1059.001 PowerShell -> check T1564.003 Hidden Window
Red Flag Phrases
"downloads and executes" -> T1105 + T1059 "persistence via task" -> T1053 + T1059 "C2 over HTTPS" -> T1071.001 + T1573.002 "compromised infrastructure" -> T1584.004 "redirects traffic" -> T1572 or T1090 "harvests credentials via fake page" -> T1598.003 (Recon tactic)
More from tsale/awesome-dfir-skills
malware-analysis
Professional malware analysis workflow for PE executables and suspicious files. Triggers on file uploads with requests like "analyze this malware", "analyze this sample", "what does this executable do", "check this file for malware", or any request to examine suspicious files. Performs static analysis, threat intelligence triage, behavioral inference, and produces analyst-grade reports with reasoned conclusions.
32osquery-query-helper
Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source.
5threat-actor-profiling
Build structured threat actor profiles using the 5W1H framework and the Diamond Model. Use this skill whenever the user wants to profile a threat actor, create a TA report, analyze an APT group, build an adversary profile, assess threat actor capability, map TTPs to MITRE ATT&CK for a specific group, or produce any intelligence deliverable about a threat actor. Also trigger when the user mentions threat actor names (e.g. APT29, Lazarus, FIN7), asks about victimology, modus operandi, or wants to structure threat intelligence around an adversary. This skill applies to both internal tracking profiles and incident-driven analytical deliverables.
1