EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Analyst Practice

MITRE ATT&CK Technique Mapping

Mapping observed malware behaviour to MITRE ATT&CK techniques is now a standard deliverable in malware analysis. How to do it correctly — the 14 tactics, the confidence model, and using ATT&CK Navigator to communicate findings.

Ashish Revar13 May 202610 min read11 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK Enterprise Matrix

The full ATT&CK Enterprise matrix. Bookmark and use during every analysis.

reference
ATT&CK Navigator

Web-based tool for creating and exporting ATT&CK layer visualisations. The standard output format.

tool
ATT&CK Mapping Methodology (MITRE)

MITRE's own guidance on how to map behaviours to techniques with appropriate confidence.

reference
More articlesTest your knowledge

What ATT&CK Is and Why It Matters for Malware Analysis

MITRE ATT&CK is a knowledge base of adversary tactics and techniques derived from real-world observations of threat actor behaviour. It is maintained by MITRE and updated continuously as new techniques are documented from incident reports, threat intelligence, and malware analysis.

For malware analysts, ATT&CK serves two purposes. First, it provides a common vocabulary: saying a sample uses "T1055.001 — Dynamic-link Library Injection" communicates a specific, unambiguous technique to any reader familiar with ATT&CK, regardless of their background or terminology preferences. Second, it bridges the gap between technical analysis and defensive action — defenders know which ATT&CK techniques their controls cover, so a report that maps attacker behaviour to ATT&CK immediately tells a defender where their gaps are.

The practical output of an ATT&CK mapping exercise is typically an ATT&CK Navigator layer — a colour-coded overlay on the ATT&CK matrix that shows which techniques were observed. This is the format expected by SOCs, threat intelligence teams, and detection engineers.

The 14 Tactics

ATT&CK for Enterprise (the most relevant domain for Windows malware analysis) organises techniques under 14 tactics representing the adversary's goal at each stage:

IDTacticWhat it represents
TA0043ReconnaissanceGathering information before attack
TA0042Resource DevelopmentAcquiring infrastructure and tools
TA0001Initial AccessGetting into the environment
TA0002ExecutionRunning malicious code
TA0003PersistenceMaintaining foothold across reboots
TA0004Privilege EscalationGaining higher privileges
TA0005Defense EvasionAvoiding detection and analysis
TA0006Credential AccessStealing credentials
TA0007DiscoveryLearning about the environment
TA0008Lateral MovementMoving to other systems
TA0009CollectionGathering data of interest
TA0011Command and ControlCommunicating with compromised systems
TA0010ExfiltrationRemoving data from the environment
TA0040ImpactDisrupting or destroying systems or data

For a typical commodity malware sample, the analyst will find techniques under Execution, Defense Evasion, Persistence, Discovery, and Command and Control. Lateral Movement and Collection appear in more capable threats or in post-exploitation tooling dropped by the initial loader.

Technique vs Sub-technique

ATT&CK has two levels of specificity:

  • Technique: The general class of behaviour. Example: T1055 Process Injection.
  • Sub-technique: A specific implementation of the technique. Example: T1055.001 Dynamic-link Library Injection, T1055.002 Portable Executable Injection, T1055.012 Process Hollowing.

Always map to the sub-technique if the evidence supports it. "Process Hollowing" is more actionable for a detection engineer writing EDR rules than "Process Injection." If you observed the specific mechanics (memory allocation in a remote process, writing PE content, redirecting execution) but cannot confirm which sub-technique variant, map to the parent technique and note the ambiguity.

The Confidence Problem

The most common ATT&CK mapping error is treating inference as observation.

Observed: You ran the sample in a sandbox and watched it call NtUnmapViewOfSection on a remote process, write a PE image, and call ResumeThread. That is T1055.012 — Process Hollowing, observed with high confidence.

Inferred: You examined the import table and saw CreateRemoteThread and VirtualAllocEx imported. That suggests process injection capability, but you have not observed it execute. Map as possible or probable, not confirmed.

Assumed: The sample communicates over HTTPS. You assume it uses T1573.002 — Asymmetric Cryptography. You have not actually examined the TLS handshake or the protocol above TLS. Do not map this technique without evidence.

A useful rule: only map a technique if you can describe the specific evidence that supports it. If you cannot write one sentence explaining what you observed that maps to the technique, do not include it.

ATT&CK Navigator Workflow

  1. Navigate to https://mitre-attack.github.io/attack-navigator/
  2. Click Create New Layer → Select Enterprise ATT&CK
  3. For each technique you observed, find it in the matrix (use the search function) and click to select it
  4. Use the colour coding to indicate confidence: e.g., red = confirmed, orange = probable, yellow = possible
  5. Add a comment to each technique noting the specific evidence
  6. Export as JSON (save with your report) and as SVG (embed in the report)

The exported JSON layer can be shared with the SOC so they can import it directly into their own Navigator instance and overlay it against their detection coverage.

Common Techniques in Commodity Windows Malware

These are the techniques analysts find most frequently in commodity samples:

TechniqueTacticWhat to look for
T1059.001 PowerShellExecutionPowerShell child process, encoded commands
T1059.003 Windows Command ShellExecutioncmd.exe child process with suspicious arguments
T1547.001 Registry Run KeysPersistenceHKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
T1055 Process InjectionDefense EvasionVirtualAllocEx, WriteProcessMemory, CreateRemoteThread
T1027 Obfuscated FilesDefense EvasionBase64, XOR, compression on embedded content
T1082 System Information DiscoveryDiscoveryCalls to GetComputerName, GetVersionEx, cmd /c systeminfo
T1016 System Network Config DiscoveryDiscoveryipconfig, GetAdaptersInfo
T1071.001 Web ProtocolsC2HTTP/HTTPS to non-browser processes
T1132.001 Standard EncodingC2Base64 in C2 communication
T1486 Data Encrypted for ImpactImpactRansomware: file encryption loop, ransom note drop