Skip to content
Log in

MITRE ATT&CK

Definition

A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques are identified by IDs such as T1566 (Phishing) or T1003 (OS Credential Dumping). Used by defenders, threat intelligence teams, and investigators as a common taxonomy.

Related terms

Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
Tactics, Techniques, and Procedures (TTPs)
A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash)....
Advanced Persistent Threat (APT)
A category of attacker, typically nation-state or state-sponsored, characterised by high technical capability, long dwell times, specific targets, and disciplined operational security....
Credential dumping
Extraction of authentication credentials from operating system memory, the Windows SAM database, Active Directory, or credential stores. Tools such as Mimikatz target...
Cyber Kill Chain
A seven-phase linear model of an intrusion developed by Lockheed Martin in 2011. The phases are: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command...
Diamond Model
An analytic framework that structures a cyber intrusion event around four linked elements: adversary, capability, infrastructure, and victim. The model makes explicit...
Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Hunting hypothesis
A testable statement specifying what adversary behaviour might be present, which data source would show it, and what analytic would surface it....
Insider threat
An incident originating from a person with legitimate access to an organisation's systems, whether through malicious intent (data theft, sabotage) or negligence...
Living-off-the-land (LotL)
An attack approach where the adversary uses tools and binaries already present on the target system, such as PowerShell, WMI, certutil, or...
STIX
Structured Threat Information eXpression. A standardised, machine-readable language for encoding and sharing threat intelligence objects such as indicators, threat actors, campaigns, and...

Explained in these topics

  • Common Attack Techniques and Tactics, Techniques and ProceduresA publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Co...
  • Proactive Threat Hunting MethodologyA publicly maintained knowledge base of adversary tactics and techniques observed in real-world attacks. Widely used as a structuring framework for hunting hyp...
  • The Cyber Attack LifecycleA publicly available, continuously updated knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real incidents. ATT&CK for Enterp...
  • Threat Intelligence FundamentalsA publicly maintained knowledge base of adversary tactics and techniques observed in real-world attacks, organised into a matrix. Each technique has a unique I...
  • The Threat Landscape and Threat ActorsA publicly maintained knowledge base of adversary tactics and techniques observed in real-world attacks, organised into a matrix covering enterprise, mobile, a...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account