The MITRE ATT&CK Framework: A Threat Hunter’s Strategic Compass
Why Use MITRE ATT&CK for Threat Hunting?
When you first encounter the MITRE ATT&CK framework, it can feel overwhelming. Hundreds of techniques, thousands of procedures, an ever-expanding matrix of adversary behaviors – it’s easy to wonder whether this massive knowledge base is truly practical for day-to-day threat hunting, or just an abstract academic exercise.
Many security professionals initially struggle to see how ATT&CK translates from theory to action. Is it just another compliance checklist? A taxonomy for writing reports? A nice-to-have reference that sits unused while we tackle real security problems?
The reality is quite different. Once you understand how to apply it, the MITRE ATT&CK framework becomes one of the most valuable tools in a threat hunter’s arsenal. It helps us understand our detection coverage – what we can see and what we’re blind to. This in turn can help us prioritize our hunting efforts, not only to “find threats”, but to help improve coverage where it may be lacking.
It also provides a common language for receiving threat intelligence that’s actually actionable rather than vague warnings about “advanced threats.” When threat reports reference specific technique IDs, we immediately know what to hunt for, what logs matter, and whether our detection capabilities would catch it.
It enables us to share findings with our teams and the broader security community in a way that’s immediately understood and useful. Documented detections become instantly recognizable to other security professionals, allowing teams to compare notes, share defensive strategies, and build collective knowledge.
And perhaps most importantly for hunters, it guides our hunts by giving us a structured approach to exploring adversary behaviors in our environments. Instead of wondering where to start, we can build focused hypotheses about how attackers might operate, what evidence they’d leave, and where to look for it.
The Core Unit of MITRE ATT&CK
At its core, ATT&CK is organized around a simple but powerful structure. Tactics represent the adversary’s objectives – the “why” of what they’re doing. Think of these as the stages of an attack: gaining initial access, establishing persistence, moving laterally, and so on. Techniques describe how adversaries achieve those tactical objectives – the specific methods they employ. Sub-techniques provide even more granular detail, breaking down techniques into specific variations and implementations.
Currently, the framework defines fourteen tactics that map the typical lifecycle of a cyberattack. But here’s something crucial for threat hunters to understand: these fourteen tactics are not equally valuable for our work.
Some tactics, like Reconnaissance and Resource Development, occur entirely outside our environment with virtually no telemetry for us to hunt through. Others, like Lateral Movement and Command and Control, generate rich, observable behaviors that provide excellent hunting opportunities.
Further, even among huntable tactics, our approaches differ dramatically – Privilege Escalation and Persistence rely almost exclusively on endpoint telemetry, Command and Control detection requires deep network analysis, while tactics like Lateral Movement and Exfiltration benefit from correlating both endpoint and network visibility to build the complete picture.
The Fourteen Tactics: A Hunter’s Perspective
Reconnaissance and Resource Development occur beyond our visibility perimeter. Adversaries gather intelligence and build infrastructure outside our networks, leaving us with nothing to hunt. These tactics remind us that attacks begin long before we see them, but they offer minimal internal detection opportunities.
Initial Access is moderately huntable, though we’re often detecting consequences rather than the breach itself. Phishing emails may disappear from gateway logs, but the execution they trigger – Office applications spawning PowerShell, unusual file downloads, web server exploitation attempts – leaves traces in process creation logs and network connections. VPN authentication anomalies and impossible travel scenarios reveal compromised credentials being used for initial entry.
Execution is highly huntable with rich endpoint telemetry. Every process creation, command line argument, and script execution generates logs we can analyze. The challenge here is volume – legitimate execution happens constantly. Success requires understanding normal patterns so malicious execution stands out: Word spawning PowerShell, encoded commands, or suspicious parent-child process relationships.
Persistence provides excellent hunting opportunities because mechanisms must modify system state observably. Registry run keys, scheduled tasks, new services, and account creation all generate events. Hunt for tasks created by unusual processes, services pointing to suspicious paths, or registry modifications by applications that shouldn’t touch autorun locations.
Privilege Escalation is highly huntable with strong endpoint focus. Token manipulation, LSASS memory access, and exploitation attempts create distinctive telemetry. Look for unusual processes accessing privileged system processes, special privileges being assigned unexpectedly, or authentication patterns that don’t align with normal administrative behavior.
Defense Evasion is paradoxically huntable – techniques meant to hide often create their own evidence. Log clearing generates clearing events, security tool tampering produces service stop logs, and process injection creates unusual memory patterns. Hunt for processes created in suspended states, security software being disabled, or legitimate system processes executing from wrong locations or making unexpected network connections.
Credential Access is extremely huntable and critically important. LSASS memory dumping, brute force attempts, and credential file searches all leave clear indicators. Monitor process access to sensitive memory spaces, failed authentication spikes followed by success, and commands searching for password files. The challenge is volume – LSASS is legitimately accessed constantly, and users forget passwords regularly. Context matters: unusual timing, unexpected sources, and correlation with other suspicious activities separate attacks from normal behavior.
Discovery activities generate numerous events as adversaries enumerate users, systems, and shares. Hunt for enumeration commands, rapid sequential share access, or systematic querying of domain resources. The difficulty is that administrators perform similar enumeration legitimately. Effective hunting requires understanding normal IT operations – knowing which systems, accounts, and timeframes are expected for administrative discovery.
Lateral Movement offers excellent hunting opportunities using both endpoint and network data. WMI remote execution, RDP sessions, and administrative share access create rich telemetry. Network traffic shows the movement itself – connections to RPC ports, SMB traffic to administrative shares, and authentication across multiple systems in rapid succession. Hunt for workstation-to-workstation connections, unusual administrative tool usage, or accounts authenticating across systems they don’t normally access.
Collection is moderately huntable with varying difficulty by technique. Automated collection from file shares shows through high-volume sequential access patterns and unusual file type targeting. Mass mailbox access, archive creation, and data staging to temporary directories all generate detectable events. Here especially baselines are critical to identify when normal users suddenly access thousands of files or unusual file types.
Command and Control is highly huntable through network analysis. While encrypted traffic hides content, behavioral patterns reveal C2: DNS tunneling shows high-entropy subdomains and excessive query volumes, HTTPS beaconing creates regular connection intervals, and connections to rare destinations or newly registered domains stand out. Hunt for processes making unexpected external connections, consistent timing patterns suggesting automated beaconing, or traffic characteristics that differ from normal web browsing.
Exfiltration is highly huntable despite encryption. Network telemetry reveals large upload volumes, sustained outbound transfers, and connections to cloud storage services. Hunt for unusual upload patterns, off-hours data transfers, or systems suddenly connecting to unauthorized cloud services. While encryption prevents seeing what’s stolen, volume anomalies, timing patterns, and destination analysis provide strong indicators. A major challenge is distinguishing exfiltration from legitimate business operations that also transfer massive amounts of data – backups, file synchronization, cloud applications.
Impact activities are highly visible but often reactive. In other words, by the time this has happened it’s likely already too late for us to do anything about it. Consequently, hunting efforts are best focused on tactics that occur prior to the deployment of a ransomware crypter for example.
Putting It All Together
The MITRE ATT&CK framework transforms threat hunting from reactive log analysis into structured, hypothesis-driven investigation. But as we’ve seen, not all tactics deserve equal attention, so focus your hunting efforts on tactics with rich telemetry like Lateral Movement, Credential Access, and Command and Control, while understanding the full attack chain helps you recognize patterns and progression.
Effective hunting requires both breadth and depth. Understand all tactics to recognize complete attack narratives, but concentrate expertise on huntable tactics where your telemetry provides visibility. Build strong baselines of normal behavior so anomalies become obvious. Correlate indicators across tactics – credential theft followed by lateral movement followed by collection tells a story that isolated events cannot.
Threat hunting with ATT&CK isn’t about memorizing techniques – it’s about developing an adversary-focused mindset supported by structured knowledge. The framework provides the map; your expertise, tools, and persistence chart the course.
Happy hunting!
Faan
Faan is a security researcher specializing in detecting post-exploitation malware, with a focus on network communication. He likes exploring threat hunting via a purple team approach by simulating adversarial activity to develop novel threat hunting detections. He also loves building covert channels and unusual malware communication methods, creating threat emulation tools that inform new detection vectors.