- 30 Jun 2025
- 6 Minutes to read
-
Print
-
DarkLight
MITRE ATT&CK AI Classification in ThreatConnect
- Updated on 30 Jun 2025
- 6 Minutes to read
-
Print
-
DarkLight
Overview
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework is a knowledge base that uses metadata codes to standardize and classify adversary goals (tactics) and offensive actions (techniques). ThreatConnect® leverages the MITRE ATT&CK® framework in various areas across the platform to optimize the way you use your threat intelligence to understand adversaries, automate workflows, and mitigate threats.
Before You Start
User Roles
- To view and pivot on ATT&CK Tags, your user account can have any Organization role.
Prerequisites
- Activate the CAL Automated Threat Library Source to view Tags applied to Report Groups in this Source. To activate the CAL Automated Threat Library Source, turn on the Active toggle for CAL Automated Threat Library on the Feeds tab of the TC Exchange™ Settings screen (must be a System Administrator to perform this action).
- To leverage ATT&CK Tags in ThreatConnect Intelligence Anywhere, enable CAL on your ThreatConnect instance and in your Organization:
- To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
- To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
- Verify your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).
How MITRE ATT&CK AI Classification Works
ThreatConnect uses a proprietary artificial intelligence (AI) classification model to read unstructured text from documents like reports and blogs attached to Report Groups in the CAL Automated Threat Library (ATL) Source and assess the content for relevant context clues to related techniques and sub-techniques in the MITRE ATT&CK framework. The MITRE ATT&CK AI classification model can identify 121 techniques and sub-techniques at a 95% confidence level. It returns these techniques and sub-techniques as system-level ATT&CK Tags associated to the Report Group containing the unstructured-text file. You can use these ATT&CK Tags as “at-a-glance” reference points, enabling you to quickly assess and pivot through large amounts of information in CAL™ ATL Reports, as well as any threat intelligence object to which you or another user has manually applied an ATT&CK Tag.
The model is monitored for accuracy and updated to support the latest version of the MITRE ATT&CK framework. When new techniques and sub-techniques are added to the framework, the model is trained to identify and “understand” them. Once the updates to the model meet ThreatConnect’s quality standards, the techniques and sub-techniques are released for use by the model.
Using MITRE ATT&CK AI Classification
You can leverage ATT&CK Tags, including those applied automatically to CAL ATL Reports by the MITRE ATT&CK AI classification model, in a number of places in ThreatConnect, including the following:
- the Search screen
- the Browse screen
- Intelligence Requirements
- the ThreatConnect ATT&CK Visualizer
- Threat Graph
You can leverage MITRE ATT&CK AI classification directly in ThreatConnect Intelligence Anywhere (ThreatConnect’s browser extension), the Doc Analysis Import feature, and the ThreatConnect Doc Analysis Playbook App. In addition, the CAL Automated Threat Library Source contains all ATT&CK Tags, including the ATT&CK Tags that are included in the MITRE ATT&CK AI classification model. You can query for ATT&CK Tags on the Browse screen using ThreatConnect Query Language (TQL), and you can search for ATT&CK Tags when searching all object types on the Search screen or when searching and browsing Tags on the Search: Tags screen.
Techniques and Sub-techniques in the MITRE ATT&CK AI Classification Model
Technique | Sub-techniques |
---|---|
T1001 - Data Obfuscation |
|
T1003 - OS Credential Dumping |
|
T1005 - Data from Local System | |
T1007 - System Service Discovery | |
T1008 - Fallback Channels | |
T1010 - Application Window Discovery | |
T1012 - Query Registry | |
T1016 - System Network Configuration Discovery | T1016.002 - Wi-Fi Discovery |
T1018 - Remote System Discovery | |
T1020 - Automated Exfiltration | T1020.001 - Traffic Duplication |
T1021 - Remote Services |
|
T1025 - Data from Removable Media | |
T1027 - Obfuscated Files or Information |
|
T1033 - System Owner/User Discovery | |
T1036 - Masquerading |
|
T1037 - Boot or Logon Initialization Scripts |
|
T1039 - Data from Network Shared Drive | |
T1041 - Exfiltration Over C2 Channel | |
T1046 - Network Service Discovery | |
T1047 - Windows Management Instrumentation | |
T1048 - Exfiltration Over Alternative Protocol |
|
T1049 - System Network Connections Discovery | |
T1053 - Scheduled Task/Job |
|
T1055 - Process Injection |
|
T1056 - Input Capture |
|
T1057 - Process Discovery | |
T1059 - Command and Scripting Interpreter |
|
T1068 - Exploitation for Privilege Escalation | |
T1069 - Permission Groups Discovery | T1069.003 - Cloud Groups |
T1070 - Indicator Removal |
|
T1071 - Application Layer Protocol |
|
T1074 - Data Staged | T1074.001 - Local Data Staging |
T1078 - Valid Accounts | T1078.001 - Default Accounts |
T1082 - System Information Discovery | |
T1083 - File and Directory Discovery | |
T1087 - Account Discovery |
|
T1090 - Proxy | T1090.004 - Domain Fronting |
T1091 - Replication Through Removable Media | |
T1095 - Non-Application Layer Protocol | |
T1098 - Account Manipulation |
|
T1104 - Multi-Stage Channels | |
T1105 - Ingress Tool Transfer | |
T1106 - Native API | |
T1110 - Brute Force |
|
T1112 - Modify Registry | |
T1113 - Screen Capture | |
T1114 - Email Collection |
|
T1115 - Clipboard Data | |
T1119 - Automated Collection | |
T1120 - Peripheral Device Discovery | |
T1123 - Audio Capture | |
T1124 - System Time Discovery | |
T1125 - Video Capture | |
T1127 - Trusted Developer Utilities Proxy Execution | T1127.001 - MSBuild |
T1133 - External Remote Services | |
T1134 - Access Token Manipulation |
|
T1135 - Network Share Discovery | |
T1137 - Office Application Startup |
|
T1140 - Deobfuscate/Decode Files or Information | |
T1187 - Forced Authentication | |
T1190 - Exploit Public-Facing Application | |
T1195 - Supply Chain Compromise | T1195.002 - Compromise Software Supply Chain |
T1200 - Hardware Additions | |
T1201 - Password Policy Discovery | |
T1202 - Indirect Command Execution | |
T1203 - Exploitation for Client Execution | |
T1204 - User Execution |
|
T1205 - Traffic Signaling |
|
T1207 - Rogue Domain Controller |
ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20166-01 v.02.A