> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/cyber-defence-frameworks/mitre-att-and-ck.md).

# Mitre Att\&ck

## *<mark style="color:blue;">Overview</mark>*

MITRE ATT\&CK® (*Adversarial Tactics, Techniques, and Common Knowledge*) is a globally accessible knowledge base of adversary behaviors across enterprise, mobile, and ICS environments.

### *<mark style="color:blue;">Core Components(Platforms)</mark>*

| Matrix         | Scope                      | Key Use Cases                   |
| -------------- | -------------------------- | ------------------------------- |
| **Enterprise** | Windows/macOS/Linux, cloud | Enterprise security, EDR tuning |
| **Mobile**     | iOS/Android                | Mobile threat defense (MTD)     |
| **ICS**        | Industrial Control Systems | OT/SCADA security               |

## *<mark style="color:blue;">MITRE ATT\&CK Tactics:</mark>*

| Tactic ID  | Tactic Name          | Definition                                             | Key Techniques (Examples)                                                  | Detection Tips                                                                                    | Mitigation Strategies                                          |
| ---------- | -------------------- | ------------------------------------------------------ | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
| **TA0001** | Initial Access       | Adversaries attempt to gain a foothold in your network | <p>T1078 (Valid Accounts)<br>T1195 (Supply Chain)</p>                      | <p>Monitor for:<br>- Unusual VPN logins<br>- New vendor software installations</p>                | <p>MFA enforcement<br>Vendor risk assessments</p>              |
| **TA0002** | Execution            | Malicious code execution on local/remote systems       | <p>T1059 (Command-Line)<br>T1053 (Scheduled Tasks)</p>                     | <p>Hunt for:<br>- Rare child processes of <code>explorer.exe</code><br>- Anomalous cron jobs</p>  | <p>Application allowlisting<br>User training</p>               |
| **TA0003** | Persistence          | Maintain long-term access despite disruptions          | <p>T1547 (Boot Autostart)<br>T1136 (Create Account)</p>                    | <p>Audit:<br>- New local admin accounts<br>- Unexpected registry Run keys</p>                     | Privileged Access Management (PAM)                             |
| **TA0004** | Privilege Escalation | Gain higher-level permissions                          | <p>T1068 (Exploit Vulnerability)<br>T1134 (Token Impersonation)</p>        | <p>Check:<br>- Unexpected <code>SYSTEM</code> processes<br>- Abnormal token duplication</p>       | <p>Patch management<br>Endpoint Detection & Response (EDR)</p> |
| **TA0005** | Defense Evasion      | Avoid detection by security tools                      | <p>T1027 (Obfuscation)<br>T1562 (Disable Security Tools)</p>               | <p>Alert on:<br>- AMSI bypass attempts<br>- <code>auditd</code> service stops</p>                 | <p>Immutable logs<br>Behavioral analytics</p>                  |
| **TA0007** | Discovery            | Explore systems to understand the environment          | <p>T1083 (File/Directory Discovery)<br>T1018 (Remote System Discovery)</p> | <p>Log:<br>- Mass <code>netstat</code>/<code>nmap</code> executions<br>- Excessive AD queries</p> | <p>Network segmentation<br>Least privilege</p>                 |
| **TA0009** | Collection           | Gather data of interest from target systems            | <p>T1113 (Screen Capture)<br>T1213 (Data from Repos)</p>                   | <p>Detect:<br>- Large clipboard data transfers<br>- Unusual database queries</p>                  | <p>Data Loss Prevention (DLP)<br>Encryption</p>                |
| **TA0010** | Exfiltration         | Steal data from victim networks                        | <p>T1041 (Exfil Over C2)<br>T1567 (Web Services)</p>                       | <p>Monitor:<br>- 4AM data transfers to new IPs<br>- Rclone to MEGA.nz</p>                         | <p>Egress filtering<br>Data classification</p>                 |
| **TA0040** | Impact               | Disrupt availability or integrity of systems           | <p>T1486 (Ransomware)<br>T1499 (DoS)</p>                                   | <p>Watch for:<br>- <code>vssadmin.exe delete shadows</code><br>- SYN flood patterns</p>           | <p>Immutable backups<br>Rate limiting</p>                      |

***

#### *<mark style="color:blue;">**How to Use This Table**</mark>*

* **SOC Analysts**: Cross-reference with your SIEM detection rules.
* **Red Teams**: Emulate high-prevalence techniques (T1059, T1078).
* **Executives**: Focus on TA0001 (Initial Access) and TA0040 (Impact) for risk briefings.

> **Sources**:
>
> * [MITRE ATT\&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/)

***

<figure><img src="/files/KTgwfiILj7HB7a9s39Z4" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/cyber-defence-frameworks/mitre-att-and-ck.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.