MITRE ATT&CK Mapping

This page cross-references the Application Attack Matrix to the MITRE ATT&CK® Enterprise knowledge base. Use it as a lookup table when you already know a MITRE ATT&CK technique ID (e.g. from a CTI report or detection rule) and want to navigate to the corresponding matrix techniques, or vice versa.

About MITRE ATT&CK Enterprise

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, maintained by The MITRE Corporation and used as a foundation for threat-model development across the cybersecurity industry. The Enterprise matrix covers Windows, macOS, Linux, cloud (AWS / Azure / GCP / SaaS / Office 365 / Identity Provider), containers, and network platforms. The current release is ATT&CK v19 (Oct 2025), which renamed several techniques (e.g. T1211 Exploitation for Defense Evasion → Exploitation for Stealth); IDs are preserved across versions, so all links below remain stable.

Cells badged MITRE in the main matrix originate in or directly extend an ATT&CK Enterprise technique. Cells badged NEW are matrix-original application-layer techniques without a 1-to-1 ATT&CK parent.

Per-tactic mapping (ATT&CK Enterprise → Matrix techniques)

Resource Development (TA0042)

"Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting.", ATT&CK TA0042

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1587 Develop Capabilities (.001 Malware, .004 Exploits)	Develop Capabilities (incl. Malware, Exploits)	Resource Development
T1588 Obtain Capabilities (.001 Malware, .002 Tool, .005 Exploits, .006 Vulnerabilities)	Obtain Capabilities (incl. Malware, Tool, Exploits, Vulnerabilities, Acquisition of Stolen Keys & Credentials)	Resource Development

Initial Access (TA0001)

"Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.", ATT&CK TA0001

The matrix's Gain Access tactic maps directly to ATT&CK Initial Access; the matrix tactic page links to TA0001.

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1133 External Remote Services	External Remote Services (incl. Exposed Gateway, Exposed Kubernetes API, SSH Access, Unauthenticated Administration Interfaces)	Gain Access
T1195 Supply Chain Compromise (.001 Compromise Software Dependencies and Development Tools, .002 Compromise Software Supply Chain)	Supply Chain Compromise (incl. Compromise Software Dependencies and Development Tools, Compromise Software Supply Chain, Build Environment Poisoning, Container Registry Poisoning, Dependency Hijacking, Model Supply Chain Compromise, Software Update Manipulation)	Gain Access
T1659 Content Injection	Content Injection (incl. Man-in-the-Middle Injection, Man-on-the-Side Injection, Protocol Exploitation)	Gain Access
T1078 Valid Accounts (.001 Default Accounts, .004 Cloud Accounts)	Valid Accounts (incl. Default Accounts, Cloud Accounts, Valid Tokens)	Gain Access

Execution (TA0002)

"Execution consists of techniques that result in adversary-controlled code running on a local or remote system.", ATT&CK TA0002

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1053 Scheduled Task/Job (.002 At, .003 Cron, .006 Systemd Timers, .007 Container Orchestration Job) — ATT&CK maps T1053 to Execution, Persistence, and Privilege Escalation simultaneously.	Scheduled Task (incl. At, Cron, Container, Systemd Timers, Orchestration Job)	Deepening Control

Persistence (TA0003)

"Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.", ATT&CK TA0003

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1525 Implant Internal Image	Implant Internal Image	Deepening Control
T1505 Server Software Component (.001 SQL Stored Procedures, .003 Web Shell)	Server Software Component (incl. SQL Stored Procedures, Web Shell)	Deepening Control

Defense Evasion (TA0005)

"Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.", ATT&CK TA0005

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1036 Masquerading	Masquerading (incl. Match Legitimate Name or Location, Break Process Trees)	Deepening Control
T1211 Exploitation for Stealth (renamed from Exploitation for Defense Evasion in ATT&CK v19)	Exploitation for Defense Evasion	Deepening Control
T1055 Process Injection (.003 Thread Execution Hijacking, .008 Ptrace System Calls, .009 Proc Memory); T1620 Reflective Code Loading; T1574 Hijack Execution Flow (.006 Dynamic Linker Hijacking)	The sub-techniques of Exploitation for Defense Evasion in this matrix — Hijacking, Injection, Proc Memory, Ptrace System Calls, Reflective Code Loading, Shared Library, Thread Execution — correspond more closely to Process Injection (T1055), Reflective Code Loading (T1620), and Hijack Execution Flow (T1574) in ATT&CK.	Deepening Control

Credential Access (TA0006)

"Credential Access consists of techniques for stealing credentials like account names and passwords.", ATT&CK TA0006

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1212 Exploitation for Credential Access	Exploitation for Credential Access (incl. Stealing Tokens, Memory Exploitation for Credential Extraction)	Expanding Control

Discovery (TA0007)

"Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.", ATT&CK TA0007

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1526 Cloud Service Discovery	Cloud Service Discovery (incl. API-based Resource Listing, Open-source discovery tools)	Expanding Control

Lateral Movement (TA0008)

"Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.", ATT&CK TA0008

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1550 Use Alternate Authentication Material (.001 Application Access Token, .004 Web Session Cookie)	Service-to-Service Trust Abuse (incl. Token Replay or Reuse Attacks, Overprivileged Service Account Exploitation)	Expanding Control

Impact (TA0040)

"Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.", ATT&CK TA0040

The matrix's Impact tactic maps directly to ATT&CK Impact; the matrix tactic page links to TA0040.

ATT&CK Technique	Matrix Technique	Matrix Tactic
T1485 Data Destruction (.001 Lifecycle-Triggered Deletion)	Data Destruction (incl. Lifecycle-Triggered Deletion, Backup Destruction or Tampering, Data Corruption via Overwriting, File or Database Record Deletion)	Impact
T1486 Data Encrypted for Impact	Data Encryption	Impact
T1491 Defacement (.001 Internal Defacement, .002 External Defacement)	Defacement (incl. Replacement, Website Content)	Impact
T1496 Resource Hijacking (.001 Compute Hijacking, .002 Bandwidth Hijacking)	Resource Hijacking (incl. Compute Hijacking, Bandwidth Hijacking, Cryptomining)	Impact
T1565 Data Manipulation (.002 Transmitted Data Manipulation, .003 Runtime Data Manipulation)	Data Manipulation (incl. Transmitted Data Manipulation, Runtime Data Manipulation)	Impact

ATT&CK ID quick reference

The 19 matrix techniques badged MITRE correspond to the following ATT&CK Enterprise IDs (sorted numerically). All links resolve to the corresponding attack.mitre.org/techniques/T####/ page.

ATT&CK ID	ATT&CK Name	Matrix Technique
T1036	Masquerading	Masquerading
T1053	Scheduled Task/Job	Scheduled Task
T1078	Valid Accounts	Valid Accounts
T1133	External Remote Services	External Remote Services
T1195	Supply Chain Compromise	Supply Chain Compromise
T1211	Exploitation for Stealth (v19; previously Exploitation for Defense Evasion)	Exploitation for Defense Evasion
T1212	Exploitation for Credential Access	Exploitation for Credential Access
T1485	Data Destruction	Data Destruction
T1486	Data Encrypted for Impact	Data Encryption
T1491	Defacement	Defacement
T1496	Resource Hijacking	Resource Hijacking
T1505	Server Software Component	Server Software Component
T1525	Implant Internal Image	Implant Internal Image
T1526	Cloud Service Discovery	Cloud Service Discovery
T1550	Use Alternate Authentication Material	Service-to-Service Trust Abuse
T1565	Data Manipulation	Data Manipulation
T1587	Develop Capabilities	Develop Capabilities
T1588	Obtain Capabilities	Obtain Capabilities
T1659	Content Injection	Content Injection

Scope and methodology

Scope. Only matrix techniques badged in the main matrix are listed; their primary ATT&CK Enterprise equivalent is cited. Matrix-original techniques (badged ) are intentionally excluded because they have no 1-to-1 ATT&CK parent.
Sub-technique mappings. Where a matrix sub-technique name exactly matches an ATT&CK sub-technique (e.g. Cloud Accounts ↔ T1078.004, Web Shell ↔ T1505.003), the ATT&CK sub-technique ID is cited inline. Matrix-specific sub-techniques without an ATT&CK equivalent are still listed under the parent for navigation but are not given an ATT&CK ID.
ATT&CK version. Mappings are normalized against ATT&CK v19 (released October 2025). Technique IDs are stable across versions, so older references (e.g. Exploitation for Defense Evasion for T1211) remain valid.
Cross-tactic techniques. ATT&CK assigns some techniques to multiple tactics (e.g. T1078 spans Initial Access, Persistence, Privilege Escalation, and Defense Evasion). This page lists each such technique under one primary tactic only, mirroring how the matrix places it; the linked attack.mitre.org page lists the full tactic set.