liminfo

MITRE ATT&CK Map

Free reference guide: MITRE ATT&CK Map

24 results

About MITRE ATT&CK Map

The MITRE ATT&CK Technique Reference Map is a free, searchable database of adversary tactics and techniques from the MITRE ATT&CK framework. It covers 6 key tactic categories — Initial Access (T1566 Phishing, T1190 Exploit Public-Facing App, T1133 External Remote Services, T1195 Supply Chain Compromise), Execution (T1059 Command and Scripting, T1204 User Execution, T1053 Scheduled Tasks, T1047 WMI), Persistence, Privilege Escalation, Defense Evasion, and Collection — with technique IDs, sub-technique breakdowns, real-world attack examples, and detection strategies.

Each technique entry includes the official ATT&CK technique ID (e.g., T1566.001 for spearphishing attachments), a description of the attack method, sub-technique variants, concrete attack commands and examples (PowerShell, cmd, Linux shell), and recommended detection methods (Sysmon, AMSI, WAF, IDS/IPS). The reference covers notable real-world incidents like SolarWinds (T1195), Log4Shell (T1190), and ProxyShell.

Built for SOC analysts, penetration testers, threat intelligence researchers, and security architects who need quick access to ATT&CK technique details during incident response, red team operations, or security assessment planning. The bilingual Korean-English format supports international security teams.

Key Features

  • Complete ATT&CK technique catalog across 6 tactic phases: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Collection
  • Sub-technique breakdowns (e.g., T1566.001 Spearphishing Attachment, T1566.002 Spearphishing Link, T1566.003 Spearphishing via Service)
  • Real-world attack examples with actual commands: PowerShell scripts, schtasks, wmic, registry manipulation, WMI event logging
  • Detection and mitigation strategies for each technique: Sysmon EventIDs, AMSI, script block logging, WAF rules, MFA requirements
  • Notable incident cross-references: SolarWinds supply chain (T1195), Log4Shell (T1190), ProxyShell Exchange exploit, PwnKit and DirtyPipe kernel exploits
  • Searchable by technique ID number (T1566) or keyword (phishing, injection, persistence)
  • Category-based filtering across all 6 MITRE ATT&CK tactic phases
  • Bilingual Korean and English support for international security operations teams

Frequently Asked Questions

What MITRE ATT&CK tactics are covered in this reference?

The reference covers 6 major tactic categories: Initial Access (phishing, exploiting public apps, remote services, supply chain), Execution (command scripting, user execution, scheduled tasks, WMI), Persistence (boot autostart, system services, account manipulation, account creation), Privilege Escalation (kernel exploits, UAC bypass, token manipulation), Defense Evasion (obfuscation, process injection, defense impairment, indicator removal), and Collection (local data, input capture, screen capture, automated collection, data staging).

How do I use this for incident response?

During incident response, search by the observed technique or indicator. For example, if you discover a scheduled task running a suspicious binary, look up T1053 (Scheduled Task/Job) to understand the sub-techniques (T1053.003 Cron, T1053.005 Windows Scheduled Task), review detection methods (task monitoring), and check related persistence or execution techniques the attacker may have also used. Each entry provides specific commands and artifacts to look for during forensic analysis.

What is the difference between T1566.001 and T1566.002?

T1566.001 is Spearphishing Attachment — the attacker sends a malicious document (e.g., .docm, .xlsm macro files) as an email attachment. T1566.002 is Spearphishing Link — the attacker includes a malicious URL in the email body that redirects to a credential harvesting page or malware download. T1566.003 covers phishing via messaging services like Slack or Teams. Each requires different detection approaches: sandbox analysis for attachments vs URL filtering for links.

How can I detect process injection (T1055)?

Process injection techniques include DLL Injection (T1055.001), Thread Execution Hijacking (T1055.003), Asynchronous Procedure Call (T1055.004), and Process Hollowing (T1055.012). Primary detection relies on Sysmon EventID 8 (CreateRemoteThread) and EventID 10 (ProcessAccess). Monitor for unexpected cross-process memory access, CreateRemoteThread API calls, and processes with mismatched image paths versus in-memory code. EDR solutions with memory scanning capabilities provide the strongest detection coverage.

What are the most critical initial access techniques to defend against?

The four initial access techniques covered are T1566 Phishing (most common vector), T1190 Exploit Public-Facing Application (Log4Shell, ProxyShell), T1133 External Remote Services (VPN/RDP compromise), and T1195 Supply Chain Compromise (SolarWinds, 3CX). Prioritize email filtering and sandboxing for T1566, WAF and patch management for T1190, MFA enforcement for T1133, and software integrity verification for T1195. Phishing and public application exploits account for the majority of real-world intrusions.

How do attackers maintain persistence after initial compromise?

The reference covers four persistence techniques: T1547 Boot/Logon Autostart (registry Run keys, Winlogon helper, shortcut modification), T1543 Create/Modify System Process (systemd services on Linux, Windows services via sc create), T1098 Account Manipulation (adding users to admin groups, SSH key injection), and T1136 Create Account (local accounts via net user, domain accounts via New-ADUser, cloud accounts). Detection relies on Autoruns monitoring, service change audit logs, account creation events (Event ID 4720), and SSH authorized_keys file monitoring.

What defense evasion techniques should blue teams watch for?

Key defense evasion techniques include T1027 Obfuscated Files (binary padding, UPX packing, encoded payloads), T1055 Process Injection (DLL injection, process hollowing), T1562 Impair Defenses (disabling antivirus via Set-MpPreference, stopping audit logs, disabling firewalls), and T1070 Indicator Removal (clearing Windows event logs with wevtutil, deleting command history with history -c). Use entropy analysis for packed files, Sysmon for injection detection, tamper protection for security tools, and centralized log collection to prevent log destruction.

Can I use this reference for red team or penetration testing?

Yes, the reference provides concrete attack commands and techniques useful for red team planning. Each technique includes real command examples (PowerShell, cmd, bash) and sub-technique variants. For penetration testing, use the technique IDs to map your test coverage against the ATT&CK matrix, ensure you are testing detection capabilities for each tactic phase, and document findings using standardized ATT&CK technique IDs for clear communication with blue team and stakeholders.