Continue your mission
MITRE ATT&CK for Enterprise is a knowledge base of adversary tactics and techniques derived from real-world observations, organized into 14 tactics with hundreds of techniques used for threat intelligence, detection engineering, and security assessment.
# ATT&CK for Enterprise
MITRE ATT&CK for Enterprise is a structured, empirically grounded knowledge base that documents how adversaries behave after gaining access to enterprise environments. Built from real-world intrusion data, the framework gives defenders a common language to describe, detect, and respond to adversary behavior across Windows, macOS, Linux, cloud platforms, containers, and network infrastructure. It exists because security teams historically lacked a shared taxonomy for adversary behavior, making it difficult to compare threat intelligence, measure detection coverage, or plan red team engagements with precision. ATT&CK solves the problem of ambiguity: instead of describing an attack as "the attacker moved laterally," a team can say "the attacker used Lateral Movement technique T1021.001 (Remote Services: Remote Desktop Protocol)," enabling structured analysis, automation, and comparison across organizations.
---
ATT&CK for Enterprise is one of three primary ATT&CK matrices published by MITRE Corporation under its federally funded research mandate. The other two matrices cover Mobile (iOS and Android) and ICS (Industrial Control Systems). The Enterprise matrix specifically addresses adversary behavior targeting corporate and government environments running conventional IT infrastructure and cloud platforms.
The framework is organized into 14 tactics, which represent the adversary's objectives at each stage of an intrusion. Beneath each tactic sit techniques, which represent the specific methods an adversary uses to achieve that objective. Many techniques contain sub-techniques that describe more granular variations of the parent method. As of 2024, the Enterprise matrix contains over 200 techniques and more than 400 sub-techniques, with each entry cross-referenced to named threat groups (called "groups" in ATT&CK), software tools, and real-world campaigns.
ATT&CK is not a compliance framework. It does not prescribe a specific control architecture or certification pathway. It is not a vulnerability database; it documents post-exploitation behavior, not software weaknesses. It is also not a kill chain model, though it can be mapped to models such as the Lockheed Martin Cyber Kill Chain. ATT&CK's granularity surpasses the Kill Chain significantly, making it more actionable for detection engineering and threat emulation.
The framework covers six platform categories within the Enterprise matrix: Windows, macOS, Linux, PRE (pre-compromise reconnaissance and resource development), Network, and Cloud (including IaaS, SaaS, Office 365, and Google Workspace). This breadth means organizations operating hybrid environments can map adversary behavior across their entire attack surface using a single reference model.
---
ATT&CK functions as both a reference taxonomy and an operational tool. Understanding its mechanics requires examining how the matrix is structured, how threat intelligence is mapped into it, and how defensive teams use it in practice.
Matrix Structure and Navigation
The ATT&CK matrix displays tactics as column headers and techniques as rows beneath each tactic. The 14 Enterprise tactics, in sequence, are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. The sequencing roughly follows an intrusion lifecycle, though adversaries do not always proceed linearly. A single intrusion may skip several tactics or revisit them multiple times.
Each technique entry contains a technical description of the method, a list of procedure examples drawn from real campaigns, detection recommendations specifying what data sources (process creation logs, network traffic, registry modifications, etc.) to monitor, and mitigation recommendations referencing controls such as disabling unnecessary services or enabling multi-factor authentication. Sub-techniques provide additional granularity. For example, T1021 (Remote Services) includes sub-techniques for Remote Desktop Protocol (T1021.001), SSH (T1021.004), VNC (T1021.005), and Windows Remote Management (T1021.006).
Threat Intelligence Mapping Process
When an analyst receives a threat report describing an intrusion, they map observed behaviors to ATT&CK techniques. This process converts unstructured narrative intelligence into machine-readable, comparable data. A report documenting that an attacker used scheduled tasks to maintain persistence maps to T1053.005 (Scheduled Task/Job: Scheduled Task). Multiple organizations mapping the same threat group independently can then compare their results, identify gaps, and build a richer profile of that adversary.
MITRE maintains its own ATT&CK Groups database, which documents named threat groups such as APT29, FIN7, and Lazarus Group, along with the specific techniques each group has been observed using. Defenders can pull a named group's technique profile and use it as a baseline for detection coverage assessment or red team emulation planning.
Detection Engineering Implementation
A detection engineering team uses ATT&CK to measure and improve their coverage across the matrix systematically. The process begins with an inventory of existing detection rules, mapping each rule to the ATT&CK techniques it addresses. Teams then plot this coverage using the ATT&CK Navigator, a free web-based tool that allows color-coding techniques by coverage level, priority, or analyst assignment.
The resulting visualization immediately reveals which tactics and techniques have no detection coverage. For example, a team might discover strong coverage across Initial Access and Execution techniques but almost no coverage for Defense Evasion techniques such as T1070 (Indicator Removal) or T1036 (Masquerading). This gap analysis drives a prioritized roadmap for writing new detection content rather than building rules reactively after incidents.
The technical implementation requires mapping detection logic to data sources. A PowerShell execution detection rule (covering T1059.001) might monitor Windows Event ID 4103 (Module Logging) and Event ID 4104 (Script Block Logging). A lateral movement detection covering T1021.001 (RDP) might correlate successful logon events (Event ID 4624) with network connection data showing external source IPs.
Adversary Emulation and Red Team Operations
Red teams use ATT&CK to plan adversary emulation engagements that move beyond generic penetration testing. Rather than conducting broad vulnerability assessments, a red team can emulate the specific technique set of a named threat group relevant to the organization's industry or threat profile.
MITRE publishes detailed adversary emulation plans for groups including APT3, APT29, and FIN6. A red team executing an APT29 emulation would attempt techniques documented in that group's ATT&CK profile: T1566.001 (Spearphishing Attachment) for initial access, T1059.001 (PowerShell) for execution, T1003 (OS Credential Dumping) for credential access, and T1021.002 (SMB/Windows Admin Shares) for lateral movement.
The output of such an engagement maps directly to detection engineering work items. For each technique the red team successfully executed without triggering a detection, the blue team has a confirmed detection gap mapped to a specific ATT&CK technique identifier, complete with the technical context needed to write effective detection logic.
Operational Scenario: Financial Services Threat Hunt
A regional bank's threat intelligence team receives industry reporting that a financially motivated threat group is targeting similar institutions using a specific attack pattern: spear-phishing attachments with malicious macros (T1566.001, T1059.005), followed by LSASS memory dumping to extract credentials (T1003.001), lateral movement via Windows Management Instrumentation (T1047), and finally data collection from file shares (T1039) before exfiltration.
The team maps these five techniques onto their ATT&CK Navigator and cross-references their SIEM detection coverage. They discover robust coverage for spear-phishing and macro execution, partial coverage for LSASS dumping, but no detection logic for WMI-based lateral movement or network share enumeration.
Within 72 hours, they develop and deploy detection rules monitoring for anomalous WMI process creation events and unusual file share access patterns. Two weeks later, the WMI detection rule fires on legitimate IT automation, which they tune to reduce false positives. One month later, the same rule detects an actual intrusion attempt using the exact technique chain from the threat report, allowing incident response to contain the attack during the lateral movement phase before any data collection occurs.
---
ATT&CK for Enterprise matters because it replaces opinion-based security assessment with evidence-based measurement. Before ATT&CK, security program reviews often relied on checklist completion or control presence rather than demonstrated defensive effectiveness. A firewall installed does not mean lateral movement is detected. A SIEM deployed does not mean credential dumping generates alerts. ATT&CK makes the gap between control presence and behavioral coverage visible and measurable.
Business Impact and Risk Reduction
Organizations that align their detection programs to ATT&CK demonstrate measurable security posture improvement over time. Coverage scores across the matrix can be tracked quarter over quarter, giving security leadership concrete metrics to present to boards and audit committees. This connects security investment to specific adversary behaviors rather than abstract compliance states or vendor feature lists.
The business value becomes clear during incident response. Organizations with comprehensive ATT&CK-mapped detection coverage identify intrusions earlier in the attack lifecycle, when containment costs are lower and data loss risks are minimal. Detection at the initial access or execution phase costs thousands of dollars in incident response effort. Detection after data exfiltration costs millions in notification, remediation, and regulatory penalties.
Consequences of Operating Without Behavioral Frameworks
Without ATT&CK or an equivalent behavioral taxonomy, security teams operate with visibility gaps they cannot quantify or prioritize. Detection programs built around signature-based indicators (file hashes, IP addresses, domain names) fail rapidly as adversaries rotate infrastructure. Behavioral detection mapped to ATT&CK techniques proves more durable because adversary behaviors change far more slowly than their infrastructure.
A threat group may change command-and-control domains weekly but will use consistent techniques for credential dumping, persistence, and lateral movement across years of operations. Detection rules targeting these behavioral patterns remain effective even as indicators of compromise become obsolete.
Real-World Validation: NotPetya and WannaCry
The 2017 NotPetya and WannaCry campaigns demonstrated the value of behavioral detection over signature-based approaches. Both attacks used techniques well-documented in ATT&CK: T1190 (Exploit Public-Facing Application) for initial access, T1021.002 (SMB/Windows Admin Shares) for lateral movement, and T1486 (Data Encrypted for Impact) for the destructive payload.
Organizations with detection coverage for these specific techniques identified the attacks within hours of initial infection. Organizations relying primarily on antivirus signatures experienced widespread compromise because the malware variants were initially undetected by signature-based tools. The behavioral patterns, however, were immediately visible to teams monitoring for the underlying ATT&CK techniques.
Common Implementation Pitfalls
A frequent misconception treats ATT&CK as a compliance checklist requiring 100% technique coverage. This approach is both impractical and ineffective. The matrix contains hundreds of techniques, and not all are relevant to every environment or threat profile. The correct approach prioritizes coverage based on threat intelligence relevant to the organization's industry, geography, and technology stack, then builds detection capability systematically.
Another pitfall involves mapping existing detection rules to ATT&CK without considering detection quality or effectiveness. A poorly written detection rule that generates excessive false positives provides no meaningful coverage, even if it theoretically addresses an ATT&CK technique. Effective ATT&CK implementation requires both coverage measurement and detection engineering discipline.
---
CDA approaches ATT&CK for Enterprise through the Risk Governance and Assurance (RGA) domain of the Planetary Defense Model, specifically as the behavioral foundation for Perpetual Compliance Assurance (PCA). Within this framework, ATT&CK functions as the behavioral substrate for continuous control validation: not a point-in-time assessment artifact, but a living measurement system that reflects the organization's current defensive posture against documented adversary behavior.
CDA's PCA methodology rejects periodic compliance assessments in favor of continuous state monitoring. The assertion is direct: compliance is not an event, it is a state. ATT&CK operationalizes this principle for detection coverage by providing a persistent, queryable record of which adversary behaviors the organization can detect, which techniques lack coverage, and which gaps have been addressed since the previous review cycle.
In practice, CDA implements ATT&CK integration across three operational functions within client environments. First, all threat intelligence consumption is structured so that every incoming intelligence product undergoes ATT&CK mapping before archival, ensuring that raw intelligence becomes actionable detection gap data rather than filed reports. Second, detection engineering roadmaps are built directly from ATT&CK gap analysis, prioritized by threat group relevance to the client's sector and by technique prevalence in recent campaigns targeting similar organizations.
Third, red team engagements are scoped as adversary emulations against specific ATT&CK group profiles, with deliverables formatted as technique-level coverage reports that feed directly into the detection engineering backlog. This creates a closed loop: threat intelligence identifies relevant adversary behaviors, gap analysis reveals detection coverage deficiencies, red team operations validate the gaps, and detection engineering addresses the confirmed weaknesses.
CDA also incorporates ATT&CK coverage metrics into executive reporting, giving governance stakeholders behavioral coverage scores alongside traditional compliance metrics. This bridges the gap between technical security operations and risk governance functions, allowing boards and audit committees to understand what the organization can actually detect rather than what controls are nominally deployed.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.