analysing-attack by tsale

---
name: analysing-attack
description: Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
---

# Analysing ATT&CK Tactics and Techniques

## Overview

This document provides best practices and resources for use when mapping ATT&CK tactics and techniques to threat detections, threat models, security risks or cyber threat intelligence.

Contains information on v18.1 (latest) version of Mitre ATT&CK

## Available Resources

Resources folder contains LLM optimised and token-efficient content. Read whole file for broad context or grep or glob for specfic keywords or IDs. Use index files for quick reference keyword searches.

Tactics are abreviated: REC=Reconnaissance, RD=Resource Development, IA=Initial Access, EX=Execution, PE=Persistence, PRV=Privilege Escalation, DE=Defense Evasion, CA=Credential Access, DIS=Discovery, LM=Lateral Movement, COL=Collection, C2=Command and Control, EXF=Exfiltration, IMP=Impact

### Searching Examples

**By keyword (recommended for discovery)**:
```grep -i "cron\|bash\|/proc/\|cryptocurrency" resources/attack_keywords.idx```

**By technique ID (for validation)**:
```grep "T1053" resources/attack_techniques.md```

**By tactic abbreviation (find all persistance techniques)**:
```grep "PE" resources/attack_techniques.md```


### Resource Files

**ATT&CK Technique Keyword Index**: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> [resources/attack_keywords.idx](resources/attack_keywords.idx)

**ATT&CK Technique List**: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> [resources/attack_techniques.md](resources/attack_techniques.md)

**ATT&CK Version Changelog**: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> [resources/attack_version_changelog.md](resources/attack_version_changelog.md)

## Best Practice

Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.

- Do not assume your knowledge is 100% complete or up to date. Use the resources provided
- Carefully read any supplied information, perform deep analysis line by line if needed
- Search broadly for keywords, you may need to iterate multiple times to find every correct technique
- Think about the specific procedure being performed and consider the attacker (or defender) intent before determining appropriate tactic, technique or sub-technique
- Some techniques are part of multiple tactics (for ex. T1078 Valid Accounts) and may appear different for each tactic
- Other techniques are similar but distinct depending on tactic (for ex. T1213.003 and T1593.003 are both Code Respositories)
- Map to the most specific sub-technique when possible

### When Analysing CTI Reports

- IMPORTANT: Read the whole report fully, including tables of IOCs, appendixes or linked STIX files
- Screenshots contain valuable intelligence, ensure they are processed
- Break down the report into granular procedures when mapping to techniques
- Think about attacker objectives. What did they take that action? What did they hope to achieve?
- Avoid infering techniques that are not contained in the report
- Once initial analysis is complete, perform a second analysis to valdiate your findings and idenitify any missed techniques

### When Analysing Detections

- Detection logic may detect multiple techniques, map all that are applicable
- Analyse detection log sources and fields, these can help determine distinct tactics or techniques
- Consider the intent (hypothesis) of the detection, what was the engineers objective?

## Commonly Missed Techniques

### Command-Line Indicators
`-windowstyle hidden`|`-w hidden` -> T1564.003 Hidden Window
`-encodedcommand`|`-enc`|`base64` -> T1027.010 Command Obfuscation
`-noprofile`|`-ep bypass` -> T1059.001 PowerShell

### Encoding
Encoded payload delivered -> T1027.013 Encrypted/Encoded File
Decoded at runtime -> T1140 Deobfuscate/Decode

### RDP-Related
RDP connection|`.rdp` file -> T1021.001 Remote Desktop Protocol
Clipboard redirect -> T1115 Clipboard Data
Drive mapping|attached drives -> T1039 Data from Network Shared Drive
Auth redirect|intercept -> T1557 Adversary-in-the-Middle

### Infrastructure
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services
Typosquat|lookalike domain -> T1583.001 Domains
Compromised server -> T1584.004 Server

### Network
SSH tunnel|port forward -> T1572 Protocol Tunneling
Downloaded|fetched payload -> T1105 Ingress Tool Transfer
Over port 80/443 -> T1071.001 Web Protocols

### Social Engineering
Masqueraded|posed as|impersonated -> T1656 Impersonation
Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name
Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)

### Technique Pairs
T1566 Spearphishing -> check T1204 User Execution
T1027 Obfuscation -> check T1140 Deobfuscation
T1053 Scheduled Task -> check T1059 Interpreter
T1021.001 RDP -> check T1115, T1039, T1557
T1059.001 PowerShell -> check T1564.003 Hidden Window

### Red Flag Phrases
"downloads and executes" -> T1105 + T1059
"persistence via task" -> T1053 + T1059
"C2 over HTTPS" -> T1071.001 + T1573.002
"compromised infrastructure" -> T1584.004
"redirects traffic" -> T1572 or T1090
"harvests credentials via fake page" -> T1598.003 (Recon tactic)