MITRE ATT&CK Framework Cheat Sheet

Updated 2026-04-30

Next Topic: Network Security Cheat Sheet

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible knowledge base documenting adversary tactics and techniques based on real-world observations. Created by MITRE Corporation in 2013, ATT&CK has become the industry standard for understanding and communicating cyber threat behaviors across three primary matrices: Enterprise (covering Windows, macOS, Linux, cloud, and containers), Mobile (iOS and Android), and ICS (Industrial Control Systems). The framework organizes adversary behaviors into 14 tactical objectives spanning the attack lifecycle—from reconnaissance through impact—with each tactic containing multiple techniques and sub-techniques that describe specific methods attackers use. What makes ATT&CK uniquely valuable is its behavior-centric approach: rather than focusing on indicators of compromise or specific malware families, it maps how adversaries operate, enabling defenders to build detections that remain effective even when attacker tooling changes.

What This Cheat Sheet Covers

This topic spans 15 focused tables and 122 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: ATT&CK Tactics (Attack Lifecycle Stages)Table 2: ATT&CK Matrices and PlatformsTable 3: Techniques and Sub-Techniques StructureTable 4: Threat Groups and AdversariesTable 5: Software CatalogTable 6: Data Sources and DetectionTable 7: ATT&CK Navigator ToolTable 8: Mitigations and Defensive CountermeasuresTable 9: ATT&CK Data Formats and AccessTable 10: Use Cases and ApplicationsTable 11: Related MITRE Frameworks and ToolsTable 12: Implementation Best PracticesTable 13: Common Pitfalls and Anti-PatternsTable 14: Training and CertificationTable 15: Version History and Evolution

Table 1: ATT&CK Tactics (Attack Lifecycle Stages)

Tactics are the "why" of the framework — the goal an adversary is pursuing at each stage of an intrusion, from first scanning the target to finally encrypting or destroying data. Read top to bottom, these 14 stages trace the arc of a typical attack, and every technique elsewhere in ATT&CK hangs off one or more of them. Learn these first; everything else is detail underneath.

Tactic	Example	Description
Reconnaissance (TA0043)	`Active Scanning (T1595)` `Gather Victim Identity (T1589)`	• Gathering information about the target to plan future operations • includes both active scanning and passive OSINT collection
Resource Development (TA0042)	`Acquire Infrastructure (T1583)` `Develop Capabilities (T1587)`	Establishing resources to support operations such as infrastructure, accounts, and capabilities before initial access.
Initial Access (TA0001)	`Phishing (T1566)` `Exploit Public-Facing Application (T1190)`	Techniques used to gain initial entry into a network, most commonly through user interaction or exposed vulnerabilities.
Execution (TA0002)	`Command and Scripting Interpreter (T1059)` `User Execution (T1204)`	Running malicious code on a target system to achieve tactical goals through interpreters, scheduled tasks, or user actions.
Persistence (TA0003)	`Scheduled Task/Job (T1053)` `Boot or Logon Autostart (T1547)`	Maintaining foothold across restarts, credential changes, and system modifications to ensure continued access.
Privilege Escalation (TA0004)	`Exploitation for Privilege Escalation (T1068)` `Access Token Manipulation (T1134)`	Gaining higher-level permissions to access restricted resources or elevate from user-level to administrator or system access.
Defense Evasion (TA0005)	`Obfuscated Files or Information (T1027)` `Process Injection (T1055)`	Avoiding detection by security tools through obfuscation, disabling defenses, hiding artifacts, and masquerading as legitimate processes.

Table 1: ATT&CK Tactics (Attack Lifecycle Stages)

Tactic	Example	Description
Reconnaissance (TA0043)	`Active Scanning (T1595)` `Gather Victim Identity (T1589)`	• Gathering information about the target to plan future operations • includes both active scanning and passive OSINT collection
Resource Development (TA0042)	`Acquire Infrastructure (T1583)` `Develop Capabilities (T1587)`	Establishing resources to support operations such as infrastructure, accounts, and capabilities before initial access.
Initial Access (TA0001)	`Phishing (T1566)` `Exploit Public-Facing Application (T1190)`	Techniques used to gain initial entry into a network, most commonly through user interaction or exposed vulnerabilities.
Execution (TA0002)	`Command and Scripting Interpreter (T1059)` `User Execution (T1204)`	Running malicious code on a target system to achieve tactical goals through interpreters, scheduled tasks, or user actions.
Persistence (TA0003)	`Scheduled Task/Job (T1053)` `Boot or Logon Autostart (T1547)`	Maintaining foothold across restarts, credential changes, and system modifications to ensure continued access.
Privilege Escalation (TA0004)	`Exploitation for Privilege Escalation (T1068)` `Access Token Manipulation (T1134)`	Gaining higher-level permissions to access restricted resources or elevate from user-level to administrator or system access.
Defense Evasion (TA0005)	`Obfuscated Files or Information (T1027)` `Process Injection (T1055)`	Avoiding detection by security tools through obfuscation, disabling defenses, hiding artifacts, and masquerading as legitimate processes.