Mapping observed malware behaviour to MITRE ATT&CK techniques is now a standard deliverable in malware analysis. How to do it correctly — the 14 tactics, the confidence model, and using ATT&CK Navigator to communicate findings.
Sign in to mark this article as read and track your progress.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques derived from real-world observations of threat actor behaviour. It is maintained by MITRE and updated continuously as new techniques are documented from incident reports, threat intelligence, and malware analysis.
For malware analysts, ATT&CK serves two purposes. First, it provides a common vocabulary: saying a sample uses "T1055.001 — Dynamic-link Library Injection" communicates a specific, unambiguous technique to any reader familiar with ATT&CK, regardless of their background or terminology preferences. Second, it bridges the gap between technical analysis and defensive action — defenders know which ATT&CK techniques their controls cover, so a report that maps attacker behaviour to ATT&CK immediately tells a defender where their gaps are.
The practical output of an ATT&CK mapping exercise is typically an ATT&CK Navigator layer — a colour-coded overlay on the ATT&CK matrix that shows which techniques were observed. This is the format expected by SOCs, threat intelligence teams, and detection engineers.
ATT&CK for Enterprise (the most relevant domain for Windows malware analysis) organises techniques under 14 tactics representing the adversary's goal at each stage:
| ID | Tactic | What it represents |
|---|---|---|
| TA0043 | Reconnaissance | Gathering information before attack |
| TA0042 | Resource Development | Acquiring infrastructure and tools |
| TA0001 | Initial Access | Getting into the environment |
| TA0002 | Execution | Running malicious code |
| TA0003 | Persistence | Maintaining foothold across reboots |
| TA0004 | Privilege Escalation | Gaining higher privileges |
| TA0005 | Defense Evasion | Avoiding detection and analysis |
| TA0006 | Credential Access | Stealing credentials |
| TA0007 | Discovery | Learning about the environment |
| TA0008 | Lateral Movement | Moving to other systems |
| TA0009 | Collection | Gathering data of interest |
| TA0011 | Command and Control | Communicating with compromised systems |
| TA0010 | Exfiltration | Removing data from the environment |
| TA0040 | Impact | Disrupting or destroying systems or data |
For a typical commodity malware sample, the analyst will find techniques under Execution, Defense Evasion, Persistence, Discovery, and Command and Control. Lateral Movement and Collection appear in more capable threats or in post-exploitation tooling dropped by the initial loader.
ATT&CK has two levels of specificity:
Always map to the sub-technique if the evidence supports it. "Process Hollowing" is more actionable for a detection engineer writing EDR rules than "Process Injection." If you observed the specific mechanics (memory allocation in a remote process, writing PE content, redirecting execution) but cannot confirm which sub-technique variant, map to the parent technique and note the ambiguity.
The most common ATT&CK mapping error is treating inference as observation.
Observed: You ran the sample in a sandbox and watched it call NtUnmapViewOfSection on a remote process, write a PE image, and call ResumeThread. That is T1055.012 — Process Hollowing, observed with high confidence.
Inferred: You examined the import table and saw CreateRemoteThread and VirtualAllocEx imported. That suggests process injection capability, but you have not observed it execute. Map as possible or probable, not confirmed.
Assumed: The sample communicates over HTTPS. You assume it uses T1573.002 — Asymmetric Cryptography. You have not actually examined the TLS handshake or the protocol above TLS. Do not map this technique without evidence.
A useful rule: only map a technique if you can describe the specific evidence that supports it. If you cannot write one sentence explaining what you observed that maps to the technique, do not include it.
https://mitre-attack.github.io/attack-navigator/The exported JSON layer can be shared with the SOC so they can import it directly into their own Navigator instance and overlay it against their detection coverage.
These are the techniques analysts find most frequently in commodity samples:
| Technique | Tactic | What to look for |
|---|---|---|
| T1059.001 PowerShell | Execution | PowerShell child process, encoded commands |
| T1059.003 Windows Command Shell | Execution | cmd.exe child process with suspicious arguments |
| T1547.001 Registry Run Keys | Persistence | HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
| T1055 Process Injection | Defense Evasion | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
| T1027 Obfuscated Files | Defense Evasion | Base64, XOR, compression on embedded content |
| T1082 System Information Discovery | Discovery | Calls to GetComputerName, GetVersionEx, cmd /c systeminfo |
| T1016 System Network Config Discovery | Discovery | ipconfig, GetAdaptersInfo |
| T1071.001 Web Protocols | C2 | HTTP/HTTPS to non-browser processes |
| T1132.001 Standard Encoding | C2 | Base64 in C2 communication |
| T1486 Data Encrypted for Impact | Impact | Ransomware: file encryption loop, ransom note drop |