Complete guide to MITRE ATT&CK framework integration for realistic attack technique simulation and mapping.
- Overview
- Quick Start
- Framework Coverage
- Technique Implementation
- Attack Chain Generation
- Detection Mapping
- Campaign Integration
- Analytics and Reporting
- Use Cases
- Best Practices
- Troubleshooting
The MITRE ATT&CK integration provides comprehensive coverage of the ATT&CK framework, enabling:
- Complete Technique Coverage: All 14 tactics and 200+ techniques
- Realistic Attack Simulation: Accurate technique implementation
- Attack Chain Generation: Multi-stage attack progressions
- Detection Mapping: Link techniques to detection rules
- Campaign Attribution: Associate techniques with threat actors
# Generate alerts with MITRE mapping
yarn start generate-alerts --count 50 --mitre
# Generate specific tactic alerts
yarn start generate-alerts --count 30 --mitre --tactics initial-access,execution
# Generate campaign with MITRE techniques
yarn start generate-campaign apt --mitre --count 100# Generate attack chains
yarn start generate-alerts --count 40 --mitre --attack-chains
# Generate with sub-techniques
yarn start generate-alerts --count 25 --mitre --sub-techniques
# Generate detection rules with MITRE mapping
yarn start generate-rules --count 20 --mitre --comprehensiveThe system covers all 14 MITRE ATT&CK tactics:
| Tactic ID | Name | Description | Techniques Covered |
|---|---|---|---|
| TA0001 | Initial Access | Entry vectors into networks | 9 techniques |
| TA0002 | Execution | Code execution techniques | 12 techniques |
| TA0003 | Persistence | Maintaining foothold | 19 techniques |
| TA0004 | Privilege Escalation | Higher-level permissions | 13 techniques |
| TA0005 | Defense Evasion | Avoiding detection | 42 techniques |
| TA0006 | Credential Access | Stealing credentials | 15 techniques |
| TA0007 | Discovery | Environment reconnaissance | 29 techniques |
| TA0008 | Lateral Movement | Moving through networks | 9 techniques |
| TA0009 | Collection | Data gathering | 17 techniques |
| TA0010 | Command and Control | Remote communication | 16 techniques |
| TA0011 | Exfiltration | Data theft | 9 techniques |
| TA0040 | Impact | Destructive actions | 13 techniques |
| TA0042 | Resource Development | Infrastructure setup | 7 techniques |
| TA0043 | Reconnaissance | Target information gathering | 10 techniques |
Each technique includes:
- Realistic Implementation: Accurate simulation of technique characteristics
- Sub-Technique Support: Detailed sub-technique variants
- Context Awareness: Appropriate technique usage in different scenarios
- Detection Signatures: Corresponding detection patterns
{
"threat": [{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"name": "Initial Access",
"reference": "https://attack.mitre.org/tactics/TA0001/"
},
"technique": [{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1566/001/",
"subtechnique": {
"name": "Malicious Document",
"description": "Document with embedded macros"
}
}]
}],
"event": {
"category": "file",
"type": "creation",
"action": "email_attachment_opened"
},
"file": {
"name": "invoice.docx",
"extension": "docx",
"size": 2048576
},
"email": {
"subject": "Urgent: Invoice Payment Required",
"sender": "finance@malicious-domain.com"
}
}{
"threat": [{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}]
}],
"process": {
"name": "powershell.exe",
"command_line": "powershell.exe -ExecutionPolicy Bypass -EncodedCommand <base64>",
"parent": {
"name": "winword.exe"
}
},
"event": {
"category": "process",
"type": "start",
"action": "process_creation"
}
}{
"threat": [{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [{
"id": "T1055",
"name": "Process Injection",
"reference": "https://attack.mitre.org/techniques/T1055/"
}]
}],
"process": {
"name": "svchost.exe",
"pid": 1234,
"injection": {
"target": "explorer.exe",
"method": "DLL Injection"
}
},
"event": {
"category": "process",
"type": "change",
"action": "memory_modification"
}
}Generate realistic attack chains following MITRE progression patterns:
# Generate complete attack chain
yarn start generate-alerts --count 50 --mitre --attack-chains --progression realisticExample Attack Chain:
- Initial Access (T1566.001) → Spearphishing Attachment
- Execution (T1059.001) → PowerShell execution
- Persistence (T1053.005) → Scheduled Task creation
- Defense Evasion (T1055) → Process Injection
- Discovery (T1082) → System Information Discovery
- Lateral Movement (T1021.001) → Remote Desktop Protocol
- Collection (T1005) → Data from Local System
- Exfiltration (T1041) → Exfiltration Over C2 Channel
Different attack campaigns use characteristic technique patterns:
yarn start generate-campaign apt --mitre --attack-chains- Focus: Stealth, persistence, long-term access
- Techniques: T1566.001 → T1059.001 → T1547.001 → T1070.004 → T1083
yarn start generate-campaign ransomware --mitre --attack-chains- Focus: Speed, impact, data encryption
- Techniques: T1566.002 → T1059.003 → T1486 → T1490 → T1491
yarn start generate-campaign insider --mitre --attack-chains- Focus: Privilege abuse, data collection
- Techniques: T1078 → T1087.001 → T1083 → T1005 → T1041
Link MITRE techniques to specific detection approaches:
{
"detection_mapping": {
"technique_id": "T1059.001",
"detection_methods": [
{
"method": "Process Monitoring",
"query": "process.name:powershell.exe AND process.command_line:*-EncodedCommand*",
"confidence": "High"
},
{
"method": "Command Line Analysis",
"query": "process.command_line:*-ExecutionPolicy* AND process.command_line:*Bypass*",
"confidence": "Medium"
},
{
"method": "Parent Process Context",
"query": "process.parent.name:(winword.exe OR excel.exe) AND process.name:powershell.exe",
"confidence": "High"
}
]
}
}Generate detection rules mapped to MITRE techniques:
# Generate MITRE-mapped detection rules
yarn start generate-rules --count 30 --mitre --detection-mapping
# Rules include technique references and detection logicAssociate techniques with known threat actors:
{
"threat_actor": {
"name": "APT29",
"aliases": ["Cozy Bear", "The Dukes"],
"preferred_techniques": [
"T1566.001", "T1059.001", "T1055",
"T1021.001", "T1041"
],
"signature_techniques": [
"T1547.001", "T1070.004"
]
}
}Simulate complete threat actor campaigns:
# APT29-style campaign
yarn start generate-campaign apt --mitre --threat-actor apt29 --count 150
# Lazarus Group simulation
yarn start generate-campaign apt --mitre --threat-actor lazarus --count 200Analyze technique coverage across generated data:
# Generate coverage report
yarn start analyze-mitre-coverage --space production
# Export coverage metrics
yarn start export-mitre-metrics --format json --comprehensiveTrack technique usage patterns:
{
"technique_frequency": {
"T1059.001": {
"count": 47,
"percentage": 15.2,
"campaigns": ["apt", "ransomware"],
"detection_rate": 0.68
},
"T1566.001": {
"count": 32,
"percentage": 10.3,
"campaigns": ["apt", "phishing"],
"detection_rate": 0.82
}
}
}Identify techniques without detection coverage:
# Analyze detection gaps
yarn start analyze-detection-gaps --mitre --comprehensive
# Generate gap remediation recommendations
yarn start recommend-detection-rules --mitre --gap-analysisCreate comprehensive MITRE-based training scenarios:
# Progressive MITRE training
yarn start generate-alerts --count 60 --mitre --training-mode --difficulty progressive
# Specific tactic focus
yarn start generate-alerts --count 40 --mitre --tactics defense-evasion --trainingDevelop and test detection rules against MITRE techniques:
# Rule development dataset
yarn start generate-alerts --count 100 --mitre --rule-development --comprehensive
# Technique-specific testing
yarn start generate-alerts --count 50 --mitre --techniques T1059.001,T1055,T1082Conduct purple team exercises with MITRE framework alignment:
# Purple team simulation
yarn start generate-campaign apt --mitre --purple-team --realistic --count 200
# Red team technique simulation
yarn start generate-alerts --count 75 --mitre --red-team-tactics --stealthGenerate data for compliance and security assessments:
# Compliance assessment data
yarn start generate-alerts --count 80 --mitre --compliance-assessment --frameworks NIST,ISO27001
# Security control validation
yarn start generate-alerts --count 60 --mitre --control-validation --comprehensive- Realistic Combinations: Use techniques that naturally flow together
- Campaign Alignment: Match techniques to appropriate threat actor profiles
- Environment Context: Consider organizational environment and attack surface
- Detection Capability: Balance between detectable and stealthy techniques
- Current Threats: Focus on techniques currently observed in the wild
- Logical Progression: Ensure techniques follow realistic attack progression
- Time Distribution: Spread techniques across realistic timeframes
- Persistence Integration: Include persistence mechanisms throughout chains
- Evasion Techniques: Integrate defense evasion at appropriate stages
- Impact Alignment: Ensure techniques align with campaign objectives
- Layered Detection: Implement multiple detection methods per technique
- Behavioral Analysis: Include behavioral indicators alongside technical indicators
- Context Awareness: Consider technique context in detection logic
- False Positive Management: Account for legitimate technique usage
- Continuous Improvement: Regularly update detection based on new intelligence
Issue: Generated alerts lack MITRE technique mappings Solutions:
- Always use
--mitreflag when generating alerts - Verify MITRE data files are properly loaded
- Check that technique selection is working correctly
- Validate JSON structure of MITRE mappings
Issue: Generated techniques don't represent realistic attack patterns Solutions:
- Use
--attack-chainsfor logical technique progressions - Specify appropriate campaign types for technique selection
- Review threat actor technique preferences
- Implement technique validation logic
Issue: Generated techniques don't align with detection capabilities Solutions:
- Analyze current detection rule coverage
- Generate techniques that complement existing detection
- Focus on techniques with proven detection methods
- Implement detection gap analysis workflows
# Debug MITRE technique selection
yarn start generate-alerts --count 10 --mitre --debug-techniques
# Analyze technique distribution
yarn start analyze-mitre-distribution --comprehensive
# Validate attack chains
yarn start validate-attack-chains --mitre --logical-analysisDefine organization-specific technique profiles:
{
"custom_technique_profiles": {
"organization_apt": {
"preferred_initial_access": ["T1566.001", "T1190"],
"common_persistence": ["T1053.005", "T1547.001"],
"signature_evasion": ["T1055", "T1070.004"],
"exfiltration_methods": ["T1041", "T1567.002"]
}
}
}Track how techniques evolve over time:
# Historical technique analysis
yarn start analyze-technique-evolution --mitre --timeframe 12months
# Emerging technique detection
yarn start detect-emerging-techniques --mitre --threat-landscapeIntegrate MITRE techniques with threat intelligence:
# TI-enhanced MITRE generation
yarn start generate-alerts --count 50 --mitre --threat-intelligence --current
# Attribution-based technique selection
yarn start generate-campaign apt --mitre --attribution-guided --threat-actor apt29Ready to implement comprehensive MITRE ATT&CK coverage? Start with yarn start generate-alerts --count 50 --mitre --attack-chains for realistic technique simulation and detection testing!