MITRE ATT&CK AI Classification in ThreatConnect
  • 30 Jun 2025
  • 6 Minutes to read
  • Dark
    Light

MITRE ATT&CK AI Classification in ThreatConnect

  • Dark
    Light

Article summary

Overview

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework is a knowledge base that uses metadata codes to standardize and classify adversary goals (tactics) and offensive actions (techniques). ThreatConnect® leverages the MITRE ATT&CK® framework in various areas across the platform to optimize the way you use your threat intelligence to understand adversaries, automate workflows, and mitigate threats.

Before You Start

User Roles

Prerequisites

  • Activate the CAL Automated Threat Library Source to view Tags applied to Report Groups in this Source. To activate the CAL Automated Threat Library Source, turn on the Active toggle for CAL Automated Threat Library on the Feeds tab of the TC Exchange™ Settings screen (must be a System Administrator to perform this action).
  • To leverage ATT&CK Tags in ThreatConnect Intelligence Anywhere, enable CAL on your ThreatConnect instance and in your Organization:
    • To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
    • To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
  • Verify your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).

How MITRE ATT&CK AI Classification Works

ThreatConnect uses a proprietary artificial intelligence (AI) classification model to read unstructured text from documents like reports and blogs attached to Report Groups in the CAL Automated Threat Library (ATL) Source and assess the content for relevant context clues to related techniques and sub-techniques in the MITRE ATT&CK framework. The MITRE ATT&CK AI classification model can identify 121 techniques and sub-techniques at a 95% confidence level. It returns these techniques and sub-techniques as system-level ATT&CK Tags associated to the Report Group containing the unstructured-text file. You can use these ATT&CK Tags as “at-a-glance” reference points, enabling you to quickly assess and pivot through large amounts of information in CAL™ ATL Reports, as well as any threat intelligence object to which you or another user has manually applied an ATT&CK Tag.

A graphical depiction of unstructured text being converted to machine-readable intelligence (an ATT&CK Tag) by the MITRE ATT&CK AI model

The model is monitored for accuracy and updated to support the latest version of the MITRE ATT&CK framework. When new techniques and sub-techniques are added to the framework, the model is trained to identify and “understand” them. Once the updates to the model meet ThreatConnect’s quality standards, the techniques and sub-techniques are released for use by the model.

Using MITRE ATT&CK AI Classification

You can leverage ATT&CK Tags, including those applied automatically to CAL ATL Reports by the MITRE ATT&CK AI classification model, in a number of places in ThreatConnect, including the following:

You can leverage MITRE ATT&CK AI classification directly in ThreatConnect Intelligence Anywhere (ThreatConnect’s browser extension), the Doc Analysis Import feature, and the ThreatConnect Doc Analysis Playbook App. In addition, the CAL Automated Threat Library Source contains all ATT&CK Tags, including the ATT&CK Tags that are included in the MITRE ATT&CK AI classification model. You can query for ATT&CK Tags on the Browse screen using ThreatConnect Query Language (TQL), and you can search for ATT&CK Tags when searching all object types on the Search screen or when searching and browsing Tags on the Search: Tags screen.

Techniques and Sub-techniques in the MITRE ATT&CK AI Classification Model

TechniqueSub-techniques
T1001 - Data Obfuscation
  • T1001.001 - Junk Data
  • T1001.002 - Steganography
  • T1001.003 - Protocol or Service Impersonation
T1003 - OS Credential Dumping
  • T1003.001 - LSASS Memory
  • T1003.003 - NTDS
  • T1003.004 - LSA Secrets
  • T1003.005 - Cached Domain Credentials
  • T1003.006 - DCSync
  • T1003.007 - Proc Filesystem
  • T1003.008 - /etc/passwd and /etc/shadow
T1005 - Data from Local System 
T1007 - System Service Discovery 
T1008 - Fallback Channels 
T1010 - Application Window Discovery 
T1012 - Query Registry 
T1016 - System Network Configuration DiscoveryT1016.002 - Wi-Fi Discovery
T1018 - Remote System Discovery 
T1020 - Automated ExfiltrationT1020.001 - Traffic Duplication
T1021 - Remote Services
  • T1021.001 - Remote Desktop Protocol
  • T1021.002 - SMB/Windows Admin Shares
  • T1021.004 - SSH
  • T1021.005 - VNC
  • T1021.006 - Windows Remote Management
  • T1021.008 - Direct Cloud VM Connections
T1025 - Data from Removable Media 
T1027 - Obfuscated Files or Information
  • T1027.001 - Binary Padding
  • T1027.002 - Software Packing
  • T1027.003 - Steganography
  • T1027.004 - Compile After Delivery
  • T1027.005 - Indicator Removal from Tools
  • T1027.006 - HTML Smuggling
  • T1027.007 - Dynamic API Resolution
  • T1027.008 - Stripped Payloads
  • T1027.009 - Embedded Payloads
  • T1027.010 - Command Obfuscation
  • T1027.012 - LNK Icon Smuggling
  • T1027.013 - Encrypted/Encoded File
T1033 - System Owner/User Discovery 
T1036 - Masquerading
  • T1036.001 - Invalid Code Signature
  • T1036.002 - Right-to-Left Override
  • T1036.003 - Rename Legitimate Utilities
  • T1036.004 - Masquerade Task or Service
  • T1036.005 - Match Legitimate Resource Name or Location
  • T1036.006 - Space after Filename
  • T1036.007 - Double File Extension
  • T1036.008 - Masquerade File Type
  • T1036.009 - Break Process Trees
T1037 - Boot or Logon Initialization Scripts
  • T1037.001 - Logon Script (Windows)
  • T1037.002 - Login Hook
  • T1037.003 - Network Logon Script
  • T1037.004 - RC Scripts
  • T1037.005 - Startup Items
T1039 - Data from Network Shared Drive 
T1041 - Exfiltration Over C2 Channel 
T1046 - Network Service Discovery 
T1047 - Windows Management Instrumentation 
T1048 - Exfiltration Over Alternative Protocol
  • T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol
  • T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
T1049 - System Network Connections Discovery 
T1053 - Scheduled Task/Job
  • T1053.003 - Cron
  • T1053.005 - Scheduled Task
  • T1053.006 - Systemd Timers
  • T1053.007 - Container Orchestration Job
T1055 - Process Injection
  • T1055.001 - Dynamic-link Library Injection
  • T1055.002 - Portable Executable Injection
  • T1055.004 - Asynchronous Procedure Call
  • T1055.005 - Thread Local Storage
  • T1055.008 - Ptrace System Calls
  • T1055.009 - Proc Memory
  • T1055.011 - Extra Window Memory Injection
  • T1055.012 - Process Hollowing
  • T1055.014 - VDSO Hijacking
  • T1055.015 - ListPlanting
T1056 - Input Capture
  • T1056.001 - Keylogging
  • T1056.003 - Web Portal Capture
  • T1056.004 - Credential API Hooking
T1057 - Process Discovery 
T1059 - Command and Scripting Interpreter
  • T1059.001 - PowerShell
  • T1059.003 - Windows Command Shell
  • T1059.005 - Visual Basic
  • T1059.006 - Python
  • T1059.007 - JavaScript
  • T1059.008 - Network Device CLI
  • T1059.009 - Cloud API
  • T1059.010 - AutoHotKey & AutoIT
T1068 - Exploitation for Privilege Escalation 
T1069 - Permission Groups DiscoveryT1069.003 - Cloud Groups
T1070 - Indicator Removal
  • T1070.002 - Clear Linux or Mac System Logs
  • T1070.004 - File Deletion
  • T1070.005 - Network Share Connection Removal
  • T1070.006 - Timestomp
  • T1070.007 - Clear Network Connection History and Configurations
  • T1070.008 - Clear Mailbox Data
  • T1070.009 - Clear Persistence
T1071 - Application Layer Protocol
  • T1071.001 - Web Protocols
  • T1071.004 - DNS
T1074 - Data StagedT1074.001 - Local Data Staging
T1078 - Valid AccountsT1078.001 - Default Accounts
T1082 - System Information Discovery 
T1083 - File and Directory Discovery 
T1087 - Account Discovery
  • T1087.002 - Domain Account
  • T1087.003 - Email Account
T1090 - ProxyT1090.004 - Domain Fronting
T1091 - Replication Through Removable Media 
T1095 - Non-Application Layer Protocol 
T1098 - Account Manipulation
  • T1098.004 - SSH Authorized Keys
  • T1098.005 - Device Registration
T1104 - Multi-Stage Channels 
T1105 - Ingress Tool Transfer 
T1106 - Native API 
T1110 - Brute Force
  • T1110.001 - Password Guessing
  • T1110.002 - Password Cracking
  • T1110.003 - Password Spraying
  • T1110.004 - Credential Stuffing
T1112 - Modify Registry 
T1113 - Screen Capture 
T1114 - Email Collection
  • T1114.001 - Local Email Collection
  • T1114.002 - Remote Email Collection
T1115 - Clipboard Data 
T1119 - Automated Collection 
T1120 - Peripheral Device Discovery 
T1123 - Audio Capture 
T1124 - System Time Discovery 
T1125 - Video Capture 
T1127 - Trusted Developer Utilities Proxy ExecutionT1127.001 - MSBuild
T1133 - External Remote Services 
T1134 - Access Token Manipulation
  • T1134.002 - Create Process with Token
  • T1134.004 - Parent PID Spoofing
  • T1134.005 - SID-History Injection
T1135 - Network Share Discovery 
T1137 - Office Application Startup
  • T1137.001 - Office Template Macros
  • T1137.002 - Office Test
  • T1137.003 - Outlook Forms
  • T1137.005 - Outlook Rules
  • T1137.006 - Add-ins
T1140 - Deobfuscate/Decode Files or Information 
T1187 - Forced Authentication 
T1190 - Exploit Public-Facing Application 
T1195 - Supply Chain CompromiseT1195.002 - Compromise Software Supply Chain
T1200 - Hardware Additions 
T1201 - Password Policy Discovery 
T1202 - Indirect Command Execution 
T1203 - Exploitation for Client Execution 
T1204 - User Execution
  • T1204.001 - Malicious Link
  • T1204.002 - Malicious File
T1205 - Traffic Signaling
  • T1205.001 - Port Knocking
  • T1205.002 - Socket Filters
T1207 - Rogue Domain Controller 

ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20166-01 v.02.A


Was this article helpful?