Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
Content & Writing
211 Stars
14 Forks
Updated Jan 18, 2026, 06:27 AM
Why Use This
This skill provides specialized capabilities for tsale's codebase.
Use Cases
Developing new features in the tsale repository
Refactoring existing code to follow tsale standards
Understanding and working with tsale's codebase structure
---
name: analysing-attack
description: Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
---
# Analysing ATT&CK Tactics and Techniques
## Overview
This document provides best practices and resources for use when mapping ATT&CK tactics and techniques to threat detections, threat models, security risks or cyber threat intelligence.
Contains information on v18.1 (latest) version of Mitre ATT&CK
## Available Resources
Resources folder contains LLM optimised and token-efficient content. Read whole file for broad context or grep or glob for specfic keywords or IDs. Use index files for quick reference keyword searches.
Tactics are abreviated: REC=Reconnaissance, RD=Resource Development, IA=Initial Access, EX=Execution, PE=Persistence, PRV=Privilege Escalation, DE=Defense Evasion, CA=Credential Access, DIS=Discovery, LM=Lateral Movement, COL=Collection, C2=Command and Control, EXF=Exfiltration, IMP=Impact
### Searching Examples
**By keyword (recommended for discovery)**:
```grep -i "cron\|bash\|/proc/\|cryptocurrency" resources/attack_keywords.idx```
**By technique ID (for validation)**:
```grep "T1053" resources/attack_techniques.md```
**By tactic abbreviation (find all persistance techniques)**:
```grep "PE" resources/attack_techniques.md```
### Resource Files
**ATT&CK Technique Keyword Index**: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> [resources/attack_keywords.idx](resources/attack_keywords.idx)
**ATT&CK Technique List**: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> [resources/attack_techniques.md](resources/attack_techniques.md)
**ATT&CK Version Changelog**: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> [resources/attack_version_changelog.md](resources/attack_version_changelog.md)
## Best Practice
Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.
- Do not assume your knowledge is 100% complete or up to date. Use the resources provided
- Carefully read any supplied information, perform deep analysis line by line if needed
- Search broadly for keywords, you may need to iterate multiple times to find every correct technique
- Think about the specific procedure being performed and consider the attacker (or defender) intent before determining appropriate tactic, technique or sub-technique
- Some techniques are part of multiple tactics (for ex. T1078 Valid Accounts) and may appear different for each tactic
- Other techniques are similar but distinct depending on tactic (for ex. T1213.003 and T1593.003 are both Code Respositories)
- Map to the most specific sub-technique when possible
### When Analysing CTI Reports
- IMPORTANT: Read the whole report fully, including tables of IOCs, appendixes or linked STIX files
- Screenshots contain valuable intelligence, ensure they are processed
- Break down the report into granular procedures when mapping to techniques
- Think about attacker objectives. What did they take that action? What did they hope to achieve?
- Avoid infering techniques that are not contained in the report
- Once initial analysis is complete, perform a second analysis to valdiate your findings and idenitify any missed techniques
### When Analysing Detections
- Detection logic may detect multiple techniques, map all that are applicable
- Analyse detection log sources and fields, these can help determine distinct tactics or techniques
- Consider the intent (hypothesis) of the detection, what was the engineers objective?
## Commonly Missed Techniques
### Command-Line Indicators
`-windowstyle hidden`|`-w hidden` -> T1564.003 Hidden Window
`-encodedcommand`|`-enc`|`base64` -> T1027.010 Command Obfuscation
`-noprofile`|`-ep bypass` -> T1059.001 PowerShell
### Encoding
Encoded payload delivered -> T1027.013 Encrypted/Encoded File
Decoded at runtime -> T1140 Deobfuscate/Decode
### RDP-Related
RDP connection|`.rdp` file -> T1021.001 Remote Desktop Protocol
Clipboard redirect -> T1115 Clipboard Data
Drive mapping|attached drives -> T1039 Data from Network Shared Drive
Auth redirect|intercept -> T1557 Adversary-in-the-Middle
### Infrastructure
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services
Typosquat|lookalike domain -> T1583.001 Domains
Compromised server -> T1584.004 Server
### Network
SSH tunnel|port forward -> T1572 Protocol Tunneling
Downloaded|fetched payload -> T1105 Ingress Tool Transfer
Over port 80/443 -> T1071.001 Web Protocols
### Social Engineering
Masqueraded|posed as|impersonated -> T1656 Impersonation
Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name
Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)
### Technique Pairs
T1566 Spearphishing -> check T1204 User Execution
T1027 Obfuscation -> check T1140 Deobfuscation
T1053 Scheduled Task -> check T1059 Interpreter
T1021.001 RDP -> check T1115, T1039, T1557
T1059.001 PowerShell -> check T1564.003 Hidden Window
### Red Flag Phrases
"downloads and executes" -> T1105 + T1059
"persistence via task" -> T1053 + T1059
"C2 over HTTPS" -> T1071.001 + T1573.002
"compromised infrastructure" -> T1584.004
"redirects traffic" -> T1572 or T1090
"harvests credentials via fake page" -> T1598.003 (Recon tactic)