MITRE ATT&CK Quick Reference — SOC Analyst Edition¶
How to use this sheet
Use Ctrl+F to jump to a technique ID. Tables are sorted by operational frequency. KQL hints target Microsoft Sentinel; adapt index= prefix for Splunk.
1. ATT&CK Enterprise Tactic Overview (14 Tactics)¶
| ID | Tactic | Adversary Goal | Sub-techniques | Most Observed Technique | Primary Detection Source |
|---|---|---|---|---|---|
| TA0001 | Initial Access | Gain first foothold | 9 | T1566 Phishing | Email gateway, proxy logs |
| TA0002 | Execution | Run malicious code | 14 | T1059 Command & Scripting Interpreter | Process events (4688/Sysmon 1) |
| TA0003 | Persistence | Maintain access | 19 | T1547 Boot/Logon Autostart | Registry, Sysmon 12/13 |
| TA0004 | Privilege Escalation | Gain higher rights | 13 | T1055 Process Injection | Sysmon 10, EDR memory events |
| TA0005 | Defense Evasion | Avoid detection | 43 | T1562 Impair Defenses | Security log 1102, EDR telemetry |
| TA0006 | Credential Access | Steal credentials | 17 | T1003 OS Credential Dumping | Sysmon 10 (LSASS), 4768/4769 |
| TA0007 | Discovery | Map environment | 31 | T1082 System Information Discovery | Process events, Sysmon 1 |
| TA0008 | Lateral Movement | Move to other systems | 9 | T1021 Remote Services | 4624 (Type 3), network logs |
| TA0009 | Collection | Gather target data | 17 | T1074 Data Staged | File events, Sysmon 11 |
| TA0010 | Exfiltration | Transfer data out | 9 | T1041 Exfil over C2 channel | Network/firewall, proxy logs |
| TA0011 | Command & Control | Communicate with implant | 18 | T1071 App Layer Protocol | Network, DNS logs, proxy |
| TA0040 | Impact | Disrupt/destroy | 14 | T1486 Data Encrypted for Impact | EDR, file system events |
| TA0042 | Resource Development | Build capabilities | 8 | T1588 Obtain Capabilities | Threat intel, OSINT |
| TA0043 | Reconnaissance | Gather victim info | 10 | T1595 Active Scanning | Network IDS, firewall |
2. Top 30 Most Abused Techniques¶
| T-ID | Technique | Tactic | Observed In | Key Detection Signal | KQL One-Liner Hint |
|---|---|---|---|---|---|
| T1059.001 | PowerShell | Execution | APT29, Cobalt Strike, many | Encoded -enc args, download cradles | SecurityEvent \| where CommandLine has "-EncodedCommand" |
| T1059.003 | Windows Cmd Shell | Execution | Almost all | cmd.exe spawned by Office/browser | DeviceProcessEvents \| where InitiatingProcessFileName =~ "WINWORD.EXE" and FileName =~ "cmd.exe" |
| T1566.001 | Spearphishing Attachment | Initial Access | APT28, FIN7, TA505 | Office macro execution, ISO mount | EmailEvents \| where AttachmentCount > 0 and ThreatTypes has "Phish" |
| T1078 | Valid Accounts | Multiple | APT29, Scattered Spider | Logon from new geo/IP, off-hours | SigninLogs \| where ResultType == 0 \| summarize by UserPrincipalName, Location |
| T1003.001 | LSASS Memory Dump | Credential Access | Mimikatz, CrackMapExec | Sysmon EID 10 (lsass target) | DeviceEvents \| where ActionType == "LsassProcessAccess" |
| T1547.001 | Registry Run Keys | Persistence | Most malware families | New value in Run/RunOnce keys | DeviceRegistryEvents \| where RegistryKey has "\\Run" |
| T1055.001 | Dynamic-link Library Injection | Priv Esc/Evasion | Cobalt Strike, Meterpreter | Sysmon EID 7 unexpected DLL load | DeviceImageLoadEvents \| where not(InitiatingProcessFolderPath has "System32") |
| T1562.001 | Disable/Modify Security Tools | Defense Evasion | Ransomware groups | AV service stop, tamper events | DeviceProcessEvents \| where FileName in~ ("sc.exe","net.exe") and ProcessCommandLine has "stop" |
| T1112 | Modify Registry | Defense Evasion | Multiple | Changes to security-related keys | DeviceRegistryEvents \| where ActionType == "RegistryValueSet" and RegistryKey has "LSA" |
| T1021.001 | Remote Desktop Protocol | Lateral Movement | Ransomware, eCrime | 4624 Type 10, 4778/4779 | SecurityEvent \| where EventID == 4624 and LogonType == 10 |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement | Cobalt Strike, Impacket | Net logon Type 3, IPC$ access | SecurityEvent \| where EventID == 5140 and ShareName in ("\\\\*\\ADMIN$","\\\\*\\C$") |
| T1053.005 | Scheduled Task | Persistence/Exec | Many APTs | EID 4698, schtasks.exe | SecurityEvent \| where EventID == 4698 |
| T1027 | Obfuscated Files/Info | Defense Evasion | Emotet, Qbot, many | High-entropy strings, base64 blobs | DeviceProcessEvents \| where ProcessCommandLine matches regex "[A-Za-z0-9+/]{50,}={0,2}" |
| T1071.001 | Web Protocols (C2) | C2 | Most implants | Beaconing pattern, JA3/JA3S | DeviceNetworkEvents \| summarize count() by RemoteIP, bin(Timestamp, 1m) \| where count_ > 20 |
| T1486 | Data Encrypted for Impact | Impact | LockBit, ALPHV, Cl0p | Mass file rename, vssadmin delete | DeviceFileEvents \| summarize count() by DeviceName, bin(Timestamp,1m) \| where count_ > 200 |
| T1490 | Inhibit System Recovery | Impact | Ransomware | vssadmin.exe delete shadows | DeviceProcessEvents \| where ProcessCommandLine has_all ("vssadmin","delete","shadows") |
| T1136 | Create Account | Persistence | Post-exploitation | EID 4720, new local/domain user | SecurityEvent \| where EventID == 4720 |
| T1087 | Account Discovery | Discovery | Almost all | net user, whoami, AdFind | DeviceProcessEvents \| where FileName in~ ("net.exe","whoami.exe","nltest.exe") |
| T1083 | File and Directory Discovery | Discovery | Post-exploitation | dir, ls, tree in rapid succession | DeviceProcessEvents \| where FileName =~ "cmd.exe" and ProcessCommandLine has "dir" |
| T1018 | Remote System Discovery | Discovery | Lateral movement prep | nmap, ping sweeps, arp -a | DeviceNetworkEvents \| summarize dcount(RemoteIP) by DeviceName, bin(Timestamp, 5m) \| where dcount_RemoteIP > 20 |
| T1046 | Network Service Scanning | Discovery | Reconnaissance phase | Port scan events | DeviceNetworkEvents \| summarize dcount(RemotePort) by DeviceName,RemoteIP \| where dcount_RemotePort > 10 |
| T1074.001 | Local Data Staging | Collection | Pre-exfil | Large archive creation, temp dirs | DeviceFileEvents \| where FileName endswith ".zip" or FileName endswith ".7z" \| where FolderPath has "Temp" |
| T1048 | Exfil over Alt Protocol | Exfiltration | APT groups | DNS TXT queries, ICMP payload | DeviceNetworkEvents \| where RemotePort in (53,123) and SentBytes > 1000 |
| T1105 | Ingress Tool Transfer | C2/Execution | All threat actors | certutil, bitsadmin, curl download | DeviceProcessEvents \| where FileName in~ ("certutil.exe","bitsadmin.exe") and ProcessCommandLine has "http" |
| T1110.003 | Password Spraying | Credential Access | APT33, Scattered Spider | Many EID 4625 across many accounts | SecurityEvent \| where EventID == 4625 \| summarize dcount(TargetUserName) by IpAddress \| where dcount_TargetUserName > 10 |
| T1558.003 | Kerberoasting | Credential Access | Post-exploitation | EID 4769, RC4 cipher requested | SecurityEvent \| where EventID == 4769 and TicketEncryptionType == "0x17" |
| T1134 | Access Token Manipulation | Privilege Escalation | Cobalt Strike | Sysmon 10, token impersonation | DeviceEvents \| where ActionType == "TokenImpersonation" |
| T1218 | System Binary Proxy Exec | Defense Evasion | Many | mshta, regsvr32, rundll32 abuse | DeviceProcessEvents \| where FileName in~ ("mshta.exe","regsvr32.exe","rundll32.exe") and InitiatingProcessFileName != "explorer.exe" |
| T1204.002 | Malicious File Execution | Execution | Phishing campaigns | User executes Office doc/JS/VBS | DeviceProcessEvents \| where InitiatingProcessFileName in~ ("WINWORD.EXE","EXCEL.EXE") and FileName =~ "wscript.exe" |
| T1070.001 | Clear Windows Event Logs | Defense Evasion | Ransomware, APTs | EID 1102/104, wevtutil cl | SecurityEvent \| where EventID == 1102 or EventID == 104 |
3. Technique Lookup by Data Source¶
| Data Source | Tactics Best Covered | Key Event IDs / Log Types | Coverage Gap |
|---|---|---|---|
| Windows Security Event Log | Initial Access, Persistence, Credential Access, Lateral Movement, Privilege Escalation | 4624/4625/4648/4672/4688/4698/4720/4768/4769/4776 | No network content, no process args (pre-Win10) |
| Sysmon (EIDs 1-29) | Execution, Defense Evasion, Persistence, Credential Access, C2 | 1(proc), 3(net), 7(DLL), 8(inject), 10(LSASS), 11(file), 12/13(reg), 22(DNS) | High volume; needs good config (SwiftOnSecurity baseline) |
| EDR Process Events | Execution, Defense Evasion, Privilege Escalation, Lateral Movement | Full CLI args, parent-child tree, memory events, DLL loads | Varies by vendor; cloud EDR has latency |
| Network / Firewall Logs | C2, Exfiltration, Lateral Movement, Reconnaissance, Initial Access | Flows, bytes, ports, IPs; JA3/JA3S, SNI | Encrypted traffic; no payload |
| DNS Logs | C2, Exfiltration (DNS tunneling), Reconnaissance | Query/response pairs, NXDOMAIN storms, high-entropy subdomains | DoH bypass; internal DNS only |
| Proxy / Web Gateway | Initial Access (web delivery), C2, Exfiltration | URL, user-agent, MIME type, response codes | SSL inspection required for HTTPS |
| Cloud Logs (CloudTrail / Azure Activity) | Initial Access, Persistence, Privilege Escalation, Defense Evasion, Exfiltration | API calls, IAM changes, storage access, unusual regions | No endpoint visibility; needs correlation |
| Email Gateway | Initial Access (phishing), Resource Development | Sender reputation, attachment hash, URL rewriting, DMARC/SPF | Attachment sandbox may miss 0-day |
| PowerShell Script Block (4103/4104) | Execution, Defense Evasion, Credential Access | Decoded PowerShell; AMSI bypass attempts | Must be enabled; can be disabled by attacker |
| Active Directory / LDAP Logs | Discovery, Credential Access, Lateral Movement | LDAP queries, AD object changes, replication requests (4662/4929) | Often not collected by default |
4. ATT&CK Groups Quick Reference — Top 15 Threat Actors¶
| Group | Common Aliases | Suspected Origin | Primary Sectors | Top 3 Techniques | Notable Campaigns |
|---|---|---|---|---|---|
| APT29 | Cozy Bear, Midnight Blizzard, NOBELIUM | Russia (SVR) | Government, Tech, NGO | T1566.002, T1078, T1195 | SolarWinds (2020), Microsoft email (2024) |
| APT28 | Fancy Bear, Forest Blizzard, STRONTIUM | Russia (GRU) | Government, Defense, Media | T1566.001, T1203, T1110 | DNC hack (2016), Olympic Destroyer |
| Lazarus Group | Hidden Cobra, TEMP.Hermit | North Korea (RGB) | Finance, Crypto, Defense | T1059.001, T1486, T1566 | WannaCry, Bangladesh Bank heist |
| APT41 | Winnti, Double Dragon, Barium | China (MSS) | Healthcare, Telecom, Gaming | T1190, T1055, T1078 | Citrix exploit wave (2020) |
| APT10 | MenuPass, Stone Panda, Cicada | China (MSS) | MSPs, Manufacturing | T1560, T1078, T1021.002 | Cloud Hopper operation |
| FIN7 | Carbanak, Navigator, Sangria Tempest | Criminal (Ukraine-linked) | Retail, Hospitality, Finance | T1566.001, T1204.002, T1059 | Restaurant POS campaigns |
| Scattered Spider | 0ktapus, Starfraud, UNC3944 | English-speaking youth | Tech, Telecom, Crypto | T1078, T1621, T1556 | MGM, Caesars breach (2023) |
| Cl0p | TA505, LACE TEMPEST | Criminal (Russia-linked) | Multiple | T1190, T1048, T1486 | MOVEit campaign (2023) |
| LockBit | LockBit RaaS | Criminal (Russia-linked) | Multiple | T1486, T1490, T1078 | Boeing, ION Group (2023) |
| ALPHV/BlackCat | Noberus | Criminal (Russia-linked) | Healthcare, Finance | T1486, T1078, T1562 | Change Healthcare (2024) |
| APT33 | Elfin, Refined Kitten, Peach Sandstorm | Iran (IRGC) | Energy, Aviation, Defense | T1110.003, T1566, T1059 | Password spray campaigns (2023) |
| APT34 | OilRig, Helix Kitten, Crambus | Iran (MOIS) | Government, Finance, Energy | T1078, T1071.001, T1059 | Middle East espionage ops |
| TA505 | (overlaps Cl0p) | Criminal | Finance, Retail | T1566.001, T1204.002, T1105 | Dridex, FlawedAmmyy campaigns |
| Sandworm | Voodoo Bear, Seashell Blizzard | Russia (GRU Unit 74455) | Energy, Government, ICS | T1059, T1485, T1490 | NotPetya, Ukraine grid attacks |
| Kimsuky | Thallium, Velvet Chollima | North Korea (RGB) | Think-tanks, Academic, Gov | T1566.001, T1598, T1059 | HWP-laced spearphish campaigns |
5. D3FEND Countermeasure Mapping — Top 10 ATT&CK Techniques¶
| ATT&CK Technique | D3FEND Countermeasure | D3FEND ID | Implementation Notes |
|---|---|---|---|
| T1059.001 PowerShell | Executable Allowlisting | D3-EAL | AppLocker/WDAC; constrained language mode |
| T1003.001 LSASS Dump | Credential Hardening | D3-CH | Enable LSA Protection (RunAsPPL); Credential Guard |
| T1566.001 Spearphish | Message Filtering | D3-MF | DMARC enforcement; sandbox detonation; user training |
| T1021.001 RDP | Remote Terminal Session Detection | D3-RTSD | MFA on RDP; restrict to jump hosts; NLA required |
| T1078 Valid Accounts | Multi-factor Authentication | D3-MFA | Conditional access; phishing-resistant FIDO2 |
| T1486 Ransomware Encryption | File Analysis | D3-FA + D3-BK | Honeypot files; immutable backups; canary tokens |
| T1055 Process Injection | Process Segment Execution Prevention | D3-PSEP | DEP/NX enforcement; EMET/Exploit Guard |
| T1547.001 Registry Run Keys | System Init Config Analysis | D3-SICA | Baseline registry monitoring; CIS hardening |
| T1190 Exploit Public App | Software Update | D3-SU | Patch SLAs; WAF virtual patching; attack surface reduction |
| T1110 Brute Force | Account Locking | D3-AL | Smart lockout; CAPTCHA; impossible travel detection |
6. MITRE Navigator Coverage Tiers¶
Coverage Tiers Explained
Used when visualizing ATT&CK layer files in MITRE Navigator (attack.mitre.org/workbench).
| Score | Color | Operational Meaning | Action Required |
|---|---|---|---|
| 0 | White | No detection capability | Priority gap — create detection |
| 1 | Yellow | Partial / theoretical coverage | Rule exists but not validated |
| 2 | Light Orange | Detection rule deployed | Alert fires but high FP rate |
| 3 | Orange | Tuned & validated detection | Alert fires accurately, reviewed quarterly |
| 4 | Red | Full coverage + automated response | SOAR playbook auto-contains |
Operational Guidance:
- Run a Navigator layer export monthly from your SIEM rule inventory.
- Target coverage ≥ Level 3 for all Top 30 techniques above.
- Any Tier 0 in TA0001/TA0002/TA0006 is a critical gap — escalate to detection engineering.
- Use Sub-technique scoring separately from parent technique to avoid false confidence.
- Cross-reference your coverage layer against the threat actor group layers for your sector.
Coverage ≠ Detection Quality
A rule that fires on every PowerShell process scores Level 2 but contributes noise. Prioritize precision over raw coverage count.
7. ATT&CK Versioning Notes¶
| ATT&CK Version | Key Changes | Release |
|---|---|---|
| v15 | Added ESXi/VMware as platform; updated cloud matrix | Oct 2024 |
| v14 | Campaigns object added; ICS matrix updates | Oct 2023 |
| v13 | Mobile updated; detections enriched | Apr 2023 |
| v12 | Identity platform added; 25 new techniques | Oct 2022 |
Version Lock Your Coverage
Pin your Navigator layer to the ATT&CK version used when building rules. Technique IDs are stable but sub-technique counts and descriptions change.