CINXE.COM
FAQ | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>FAQ | MITRE ATT&CK®</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <div id="sidebars"></div> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <!--stopindex--> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/resources">Resources</a></li> <li class="breadcrumb-item">Frequently Asked Questions</li> </ol> <div class="faq container-fluid pb-3"> <div class="getting-started"> <h1>Frequently Asked Questions</h1> <div class="card card-filter jump-to-section"> <div class="card-body"> Jump to Section <ul> <li> <a href="#general-faq">General</a> </li> <li> <a href="#content-faq">Content</a> </li> <li> <a href="#resources-faq">Resources</a> </li> <li> <a href="#staying-informed-faq">Staying Informed</a> </li> <li> <a href="#other-models-faq">ATT&CK and Other Models</a> </li> <li> <a href="#legal-faq">Legal</a> </li> </ul> </div> </div> <div class="getting-started-content"> <div class="anchor" id="general-faq"></div> <div class="faq-section"> <h2>General</h2> <div class="relevant-links tip-box"> <span> <strong>Relevant Links:</strong> <span class="faq-link"><a href="https://medium.com/mitre-attack/att-ck-101-17074d3bc62">ATT&CK 101 Blog Post</a></span><span class="faq-link"><a href="/resources">Get Started</a></span> </span> </div> <div class="faq-question"> <h5><strong>What is ATT&CK?</strong></h5> <p>ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, and ATT&CK for Mobile, which focuses on behavior against mobile devices.</p> </div> <div class="faq-question"> <h5><strong>Why did MITRE develop ATT&CK?</strong></h5> <p>MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.</p> </div> <div class="faq-question"> <h5><strong>What are "tactics"?</strong></h5> <p>Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.</p> </div> <div class="faq-question"> <h5><strong>What are "techniques"?</strong></h5> <p>Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.</p> </div> <div class="faq-question"> <h5><strong>What are "sub-techniques"?</strong></h5> <p>Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.</p> </div> <div class="faq-question"> <h5><strong>What are "procedures"?</strong></h5> <p>Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.</p> </div> <div class="faq-question"> <h5><strong>What are the differences between sub-techniques and procedures?</strong></h5> <p>Sub-techniques and procedures describe different things in ATT&CK. Sub-techniques are used to categorize behavior and procedures are used to describe in-the-wild use of techniques. Furthermore, since procedures are specific implementations of techniques and sub-techniques, they may include several additional behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering the PowerShell, Process Injection, and Credential Dumping against LSASS behaviors.</p> </div> <div class="faq-question"> <h5><strong>What technologies does ATT&CK apply to?</strong></h5> <p>Enterprise IT systems covering Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers); cloud systems covering Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office Suite, and Identity Provider; mobile devices covering Android and iOS.</p> </div> <div class="faq-question"> <h5><strong>How can I use ATT&CK?</strong></h5> <p>ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See the <a href='/resources'>Get Started</a> page for resources on how to start using ATT&CK. Also check out the <a href='/resources'>Resources</a> section of the website and the <a href='https://medium.com/mitre-attack'>blog</a> for related projects and other material.</p> </div> </div> <div class="anchor" id="content-faq"></div> <div class="faq-section"> <h2>Content</h2> <div class="relevant-links tip-box"> <span> <strong>Relevant Links:</strong> <span class="faq-link"><a href="/resources/engage-with-attack/contribute">Contribute</a></span><span class="faq-link"><a href="/docs/ATTACK_Design_and_Philosophy_March_2020.pdf">The Design and Philosophy of ATT&CK</a></span> </span> </div> <div class="faq-question"> <h5><strong>How often is ATT&CK updated?</strong></h5> <p>Bi-annually.</p> </div> <div class="faq-question"> <h5><strong>Where does the info in ATT&CK come from?</strong></h5> <p>Publicly available threat intelligence and incident reporting is the main source of data in ATT&CK. We take what's available in the public and distill out common TTPs. We also use publicly available research on new techniques that closely align with what adversaries commonly do since new TTPs often get used in the wild quickly. For more information see <a href='/docs/ATTACK_Design_and_Philosophy_March_2020.pdf' target='_blank'>The Design and Philosophy of ATT&CK</a>.</p> </div> <div class="faq-question"> <h5><strong>How can I contribute content to ATT&CK?</strong></h5> <p><p><a href='/resources/engage-with-attack/contribute'>Check out our contribute page!</a></p><p class='mb-0'>Please contact us before spending a lot of time writing up a new technique/group/software since we always have things in the works and don’t want you to duplicate efforts. For any contributions we add, we'll run the final product by you and credit you as a contributor. In particular, we're looking for Mac/Linux contributions.</p></p> </div> <div class="faq-question"> <h5><strong>My "favorite" threat group isn't included in ATT&CK - why?</strong></h5> <p>We try to include most threat reporting but can only get to so much. If you feel information is missing, then help us by contributing to ATT&CK. Reach out to see if we’re already working on the group and review our <a href='/resources/engage-with-attack/contribute'>contribute page</a> for guidance and formatting for group and software submissions.</p> </div> </div> <div class="anchor" id="resources-faq"></div> <div class="faq-section"> <h2>Resources</h2> <div class="relevant-links tip-box"> <span> <strong>Relevant Links:</strong> <span class="faq-link"><a href="/resources/attack-data-and-tools">ATT&CK Data & Tools</a></span><span class="faq-link"><a href="/resources/engage-with-attack/contact">Staying Informed</a></span> </span> </div> <div class="faq-question"> <h5><strong>Are there APIs I can use to access the ATT&CK content?</strong></h5> <p>Yes! Check out this page: <a href='/resources/attack-data-and-tools'>ATT&CK Data & Tools</a>.</p> </div> </div> <div class="anchor" id="staying-informed-faq"></div> <div class="faq-section"> <h2>Staying Informed</h2> <div class="faq-question"> <h5><strong>How do I stay up to date with what's happening with ATT&CK?</strong></h5> <p>Follow <a href='https://twitter.com/MITREattack' target='_blank'>@MITREattack</a> on Twitter for news and check out our <a href='https://medium.com/mitre-attack' target='_blank'>blog</a> for posts about topics related to ATT&CK.</p> </div> </div> <div class="anchor" id="other-models-faq"></div> <div class="faq-section"> <h2>ATT&CK and Other Models</h2> <div class="faq-question"> <h5><strong>How does ATT&CK relate to other cyber frameworks and models?</strong></h5> <p>Each model and framework can be used for different purposes. We have documented several <a href="/resources">use cases</a> where ATT&CK can be used to provide granular detail on adversary behavior. We believe most models and frameworks are complementary to ATT&CK, so you don't have to choose just one.</p> </div> <div class="faq-question"> <h5><strong>What is the relationship between ATT&CK and the Diamond Model?</strong></h5> <p>ATT&CK and the <a target="_blank" href="http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf">Diamond Model</a> are complementary. ATT&CK documents detailed adversary behavior while the Diamond Model is helpful if you're trying to cluster intrusions. There are cases where they may be used together. For example, ATT&CK-mapped techniques may be a useful source of input into the Diamond Model to analyze adversary capabilities.</p> </div> <div class="faq-question"> <h5><strong>What is the relationship between ATT&CK and the Lockheed Martin Cyber Kill Chain<sup>®</sup>?</strong></h5> <p>ATT&CK and the <a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html" target="_blank">Cyber Kill Chain</a> are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics are unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation, whereas the Cyber Kill Chain uses ordered phases to describe high level adversary objectives.</p> </div> </div> <div class="anchor" id="legal-faq"></div> <div class="faq-section"> <h2>Legal</h2> <div class="relevant-links tip-box"> <span> <strong>Relevant Links:</strong> <span class="faq-link"><a href="/resources/legal-and-branding">Legal & Branding</a></span><span class="faq-link"><a href="/resources/engage-with-attack/contact">Contact Us</a></span> </span> </div> <div class="faq-question"> <h5><strong>How should I reference the name ATT&CK?</strong></h5> <p><p>Both MITRE ATT&CK<sup>®</sup> and ATT&CK<sup>®</sup> are registered trademarks of The MITRE Corporation.</p><ul><li>Your first references in writing must include "MITRE" preceding "ATT&CK<sup>®</sup>" - but subsequently should just reference "ATT&CK" (no registered trademark symbol required).<ul><li>Example of a first reference: <i>MITRE ATT&CK<sup>®</sup> is a curated knowledge base and model for cyber adversary behavior...</i></li><li>Example of subsequent reference: <i>ATT&CK is useful for understanding security risk against known adversary behavior...</i></li></ul><li>A headline should <i>always</i> reference "MITRE ATT&CK" together (never only "ATT&CK<sup>®</sup>").</li><li>Always capitalize "ATT&CK" to distinguish it from the surrounding text.</li><li>Do not modify the trademark, such as through hyphenation or abbreviation. For example, "ATT&CK'd!", "Plan-of-ATT&CK", "ATTK".</li><li>You may not display the ATT&CK trademark in any manner that implies an affiliation with, sponsorship, or endorsement by MITRE, or in a manner that can be reasonably interpreted to suggest third party content represents the views and opinions of MITRE or MITRE personnel, unless those third parties receive express permission from MITRE.</li><li>You may not use ATT&CK in your product names, service names, trademarks, logos, or company names.</li></ul> For more information please visit our <a href="/resources/legal-and-branding"> Legal & Branding </a></p> </div> <div class="faq-question"> <h5><strong>Where can I download the MITRE ATT&CK logo?</strong></h5> <p><p>You can find downloadable MITRE ATT&CK logos on the <a href="/resources/legal-and-branding/">Legal & Branding</a> page.</p></p> </div> <div class="faq-question"> <h5><strong>Can I use ATT&CK in my products and/or services?</strong></h5> <p><p>Yes – ATT&CK is open and available to any person or organization for use at no charge. If you decide to use ATT&CK, then follow the <a href="/resources/legal-and-branding/terms-of-use">Terms of Use</a>. If you have further questions, then please reach out to us at <a href="mailto:attack@mitre.org">attack@mitre.org</a>.</p><p class="mb-0">Remember, you may never use MITRE ATT&CK, MITRE, or ATT&CK in a way that implies an endorsement of a product or service. MITRE does not endorse those organizations, individuals, etc. leveraging MITRE ATT&CK in their work. The inclusion of MITRE ATT&CK does not imply endorsement or support from MITRE.</p></p> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1
Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>