MITRE ATT&CK kill chain

MITRE ATT&CK kill chain
The MITRE ATT&CK™ framework is a constantly evolving hub of attacker tips, tactics, and
techniques used by IT and security teams to pinpoint their organisation’s risks and
prioritize and focus their protection efforts.

ATT&CK is an acronym that stands for Adversarial Tactics, Techniques, and Common Knowledge. This framework is a combination of intrusion techniques grouped into 12 different tactics.

Initial access

These are techniques used by various entry vectors to gain an initial foothold within a network, for instance, the T1192 Spear Phishing Link.


These are techniques that allow the running of attacker-controlled code on a local system or a remote one. An example is the T1086 PowerShell


These are techniques attackers use to maintain persistence when accessing a system. An example is the T1037 Logon Script.

Privilege escalation

These are techniques that allow attackers to gain high-level privileges on a system or network. An example is the T1055 Process Injection.

Defence evasion

These are techniques attackers use in avoiding detection. An example is the T1073 DLL Side-Loading.

Credential access

These are techniques attackers use for stealing credentials like account names, passwords. An example is the T1208 Kerberoasting


These are the techniques attackers use to gain knowledge about their clients’ systems and networks. An example is the T1040 Network Sniffing

Lateral movement

These are techniques that attackers use in gaining remote access to the systems and networks of their already compromised host. Usually, attackers move through multiple computers, starting with the weakest link till they reach their aim. An example is a T1097 Pass the Ticket


These are the techniques that aid in gathering information relevant to the attacker’s aim. An example is the T1506 input capture. These are techniques attackers employ to communicate with the systems they have under their control, often making things look like regular HTTP traffic. An example is the T1172 Domain Fronting.


These are techniques that attackers use to steal data from the network of their victims. An example is the T1002 Data Compressed.


These are techniques used by attackers to disturb or compromise networks’ integrity by manipulating operational and business processes. The impact is the last phase, and it is what happens when the attacker has reached their goal.