Mubeen Subair
3 min readSep 12, 2022


MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.

Since its inception in 2013, ATT&CK has become one of the most respected and most referenced resources in cybersecurity. ATT&CK is a knowledge base of hacking techniques you can use to defend your network from cybersecurity threats. To know ATT&CK is to understand your enemy.

ATT&CK defines the following tactics used in a cyberattack:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

MITRE calls the top level category ‘tactics.’ Each column under a tactic includes a list of ‘techniques’ that aim to achieve that tactic.

To best utilize ATT&CK, the Red Team develops a strategy to link together several techniques from different columns to test the defenses of their target. The Blue Team (the pen-testing term for defenders) needs to understand the tactics and techniques in order to counter the Red Team’s strategy.

It’s a game of chess, but the pieces are ATT&CK techniques instead of knights and bishops. Each side needs to make specific moves, counter, build a defense, and anticipate the next techniques in play.

some of the techniques used by Red Team:

  1. The Red Team infects the target with malware using Replication Through Removable Media
  2. With the malware in place, the attackers have access to a computer on the network, and they use PowerShell to search for privileged accounts.
  3. When the Red Team finds a privileged account target, they will use an Exploitation for Privilege Escalation to gain access to the account
  4. With access to a privileged account, the attacker uses the Remote Desktop Protocol to access other machines on the network to find data to steal.
  5. The Red Team collects and exfiltrates data back to home base. They could use data compression to collect the sensitive files and then pass the data back home using an Exfiltration Over Alternative Protocol technique.

click on the link below to know more about MITRE For Red Teaming :

To deal with this scenario, the Blue Team needs to be able to detect file access to a removable media device or detect the malware the attacker deploys. They will need to detect the PowerShell execution and know that it’s not just an administrator doing regular work. The Blue Team also needs to detect the stolen privileged account’s access to sensitive data and exfiltration. These techniques are difficult to catch and correlate in the majority of monitoring systems.

if you would like dive deep in to some more useful information about MITRE ATT&CK, I would definitly suggest you to checkout the link