MITRE ATT&CK Detection Training
Master detection for 54+ MITRE ATT&CK techniques across all major tactics. Each technique includes real detection strategies, example alerts from SIEM, XDR, and Firewall tools, and links to hands-on training in SOCSimulator Operations.
What is MITRE ATT&CK?
- MITRE ATT&CK Framework
- MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. SOC analysts use the framework to classify threats, build detection rules, assess security coverage, and communicate about attack behavior in a common language.
Each technique describes a specific method adversaries use to achieve their goals — from gaining initial access to exfiltrating data and causing impact. SOCSimulator maps its training operations and shift mode scenarios directly to MITRE ATT&CK techniques, so every alert you investigate teaches you something real. Start free forever — no credit card required.
“ATT&CK is used by defenders, threat intelligence teams, and red teamers worldwide to improve their understanding of adversary behavior and strengthen organizational security posture.”
Browse by Tactic
MITRE ATT&CK organizes techniques into 12tactical categories representing an adversary's objectives during an attack.
Initial Access
6 techniquesPhishing
Phishing is a social engineering technique where adversaries send fraudulent electronic messages to gain access to victi...
Exploit Public-Facing Application
Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, ...
External Remote Services
Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network ...
Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining initial access, persistence, pri...
Supply Chain Compromise
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose ...
Trusted Relationship
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted t...
Execution
5 techniquesCommand and Scripting Interpreter
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and la...
User Execution
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engin...
Scheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Util...
Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a Wind...
System Services
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious cont...
Persistence
6 techniquesBoot or Logon Autostart Execution
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain per...
Create Account
Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such...
Account Manipulation
Adversaries may manipulate accounts to maintain or improve access to victim systems. Account manipulation may consist of...
Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malici...
Create or Modify System Process
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence....
Hijack Execution Flow
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking exec...
Privilege Escalation
4 techniquesAbuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most mod...
Access Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and...
Exploitation for Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnera...
Process Injection
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileg...
Defense Evasion
6 techniquesIndicator Removal
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defen...
Masquerading
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and ...
Obfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or other...
Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms...
System Binary Proxy Execution
Adversaries may bypass process and or signature-based defenses by proxying execution of malicious content with signed, o...
Modify Registry
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove inform...
Credential Access
6 techniquesBrute Force
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes...
OS Credential Dumping
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a h...
Steal or Forge Kerberos Tickets
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ti...
Credentials from Password Stores
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several...
Unsecured Credentials
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be st...
Modify Authentication Process
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarrante...
Discovery
7 techniquesAccount Discovery
Adversaries may attempt to get a listing of local system or domain accounts. This information can help adversaries deter...
Network Service Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, i...
File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certa...
Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifiers on a net...
Process Discovery
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to ga...
System Information Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches...
System Network Connections Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently acc...
Lateral Movement
2 techniquesRemote Services
Adversaries may use valid accounts to log into a service specifically designed to accept remote connections, such as tel...
Lateral Tool Transfer
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim...
Collection
4 techniquesData from Local System
Adversaries may search local system sources, such as file systems, configuration files, and local databases, to find fil...
Email Collection
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade s...
Archive Collected Data
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to ...
Data Staged
Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separ...
Command and Control
3 techniquesApplication Layer Protocol
Adversaries may communicate using OSI application layer protocols to avoid detection and network filtering by blending i...
Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copie...
Protocol Tunneling
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection ...
Exfiltration
2 techniquesExfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into ...
Exfiltration Over Alternative Protocol
Adversaries may steal data by exfiltrating it over a different protocol than that used for command and control. Data exf...
Impact
3 techniquesData Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to ...
Service Stop
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping ...
System Shutdown/Reboot
Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Operatin...
Frequently Asked Questions
Common questions about MITRE ATT&CK detection training and SOCSimulator.
- What is the MITRE ATT&CK framework and why do SOC analysts need it?
- MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. SOC analysts use it to classify threats, build detection rules, measure security coverage gaps, and communicate about attack behavior in a standardized language that teams and vendors understand.
- How does SOCSimulator teach MITRE ATT&CK techniques?
- SOCSimulator maps every training scenario and alert to specific MITRE ATT&CK techniques. When you investigate alerts in Operations rooms or Shift Mode, you practice detecting real techniques like T1566 Phishing or T1059 Command-Line Interface using realistic SIEM, XDR, and Firewall interfaces. Each technique page includes detection strategies, example alerts, and links to hands-on practice.
- Do I need prior experience to start learning ATT&CK detection?
- No. SOCSimulator is designed for analysts at all levels. Techniques are tagged by difficulty (easy, medium, hard) so beginners can start with foundational detection scenarios like phishing triage and progress to advanced techniques like lateral movement and defense evasion. The platform is free forever with no credit card required.
- How many MITRE ATT&CK techniques does SOCSimulator cover?
- SOCSimulator currently covers 50+ MITRE ATT&CK techniques across all 12 major tactics, from Initial Access through Impact. Each technique includes multiple detection strategies, realistic example alerts across SIEM, XDR, and Firewall tools, and hands-on training scenarios in Operations rooms.
- Can I use SOCSimulator to prepare for SOC analyst certifications?
- Yes. SOCSimulator provides hands-on experience that complements certifications like CompTIA CySA+, GIAC GSOC, and BTL1. Practicing MITRE ATT&CK-mapped detection scenarios builds the practical skills that certification exams test, including alert triage, threat investigation, and incident response decision-making.
Practice Detecting These Techniques
SOCSimulator puts you in the analyst seat with real alerts, real pressure, and zero consequences. Investigate MITRE ATT&CK-mapped scenarios in our guided Operations rooms or face a full shift in Shift Mode. Start free forever.