What are ATT&CK sub-techniques?

Understanding Sub-Techniques in ATT&CK

MITRE ATT&CK uses a three-level hierarchy to organize adversary behaviors. At the highest level, Tactics represent goals. At the middle level, Techniques represent methods. Below that, Sub-Techniques provide granular detail about specific implementation methods.

Sub-Techniques answer the question: Of all the ways adversaries could implement a technique, what are the specific variations? This additional layer of granularity enables precise threat analysis, detection engineering, and defensive prioritization.

Think of a filing system. Tactics are file drawers (Credential Access). Techniques are folders within drawers (Brute Force). Sub-techniques are individual documents within folders (Brute Force: Password Guessing vs. Brute Force: Credential Stuffing).

This hierarchy balances breadth and depth. Without sub-techniques, technique descriptions would be unwieldy, trying to cover every variation. Sub-techniques separate related approaches into manageable pieces.

The Sub-Technique Structure

Sub-techniques follow the naming pattern: Technique: Sub-Technique

Examples:

• T1059 (Command and Scripting Interpreter) includes:
  • T1059.001 (PowerShell)
  • T1059.002 (AppleScript)
  • T1059.003 (Windows Command Shell)
  • T1059.004 (Unix Shell)
  • T1059.005 (VBScript)
  • T1059.006 (Python)
  • T1059.007 (JavaScript)
  • T1059.008 (Lua)

Each sub-technique describes executing code or commands using a specific interpreter or language.

• T1110 (Brute Force) includes:
  • T1110.001 (Password Guessing)
  • T1110.002 (Password Spraying)
  • T1110.003 (Credential Stuffing)
  • T1110.004 (Credential Dumping)

Each describes a specific password attack method.

Why Sub-Techniques Matter

Precision in Detection: Rather than detecting "Command and Scripting Interpreter" generically, you can detect "PowerShell" specifically. This precision reduces false positives and focuses alerts.

Evasion Understanding: Attackers often choose specific sub-techniques to evade known detections. Understanding which sub-techniques are used by which groups helps predict next steps.

Tool Specificity: Malware and hacking tools implement specific sub-techniques. A tool designed for PowerShell exploitation implements T1059.001 specifically.

Research and Intelligence: Academic research, vendor reports, and threat intelligence focus on specific sub-techniques. Mapping to sub-techniques rather than parent techniques enables precise research use.

Compliance and Audit: Regulatory frameworks increasingly reference ATT&CK at the sub-technique level, requiring granular assessment.

Common Sub-Techniques

Some sub-techniques appear frequently in threat research and attacks:

T1087.001 (Account Discovery: Local Account): Discovering local user accounts on compromised systems. Nearly every attack requires understanding what accounts exist.

T1018 (Remote System Discovery): Discovering other systems on the network. Post-compromise reconnaissance almost always includes network discovery.

T1049 (System Network Connections Discovery): Identifying network connections and active services. Attackers need to understand what services are running.

T1059.001 (Command and Scripting Interpreter: PowerShell): Using PowerShell to execute commands. PowerShell is ubiquitous in Windows environments, making it an attractive attack platform.

T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Start Folder): Using Windows Registry for persistence. This is one of the most common persistence mechanisms.

T1078.001 (Valid Accounts: Default Accounts): Using default credentials. Often effective against poorly maintained systems.

Sub-Techniques vs. Techniques: When to Use Each

When discussing high-level strategy, use techniques. "We're vulnerable to Privilege Escalation attacks" is an appropriate high-level statement.

When implementing detections or conducting detailed analysis, use sub-techniques. "We need to detect T1078.001 (Valid Accounts: Default Accounts)" is precise.

In documentation and communication, use both. Reference the parent technique for context, sub-technique for specificity: "We detected use of default credentials (T1078.001) through IIS log analysis."

Sub-Techniques in Threat Intelligence

When analyzing threat groups, research often specifies sub-techniques:

A report might state: "APT28 frequently uses T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys) for persistence."

This specificity is more useful than "APT28 uses persistence techniques." It tells you exactly which persistence method to hunt for and defend against.

When reviewing threat intelligence, note the sub-techniques used by adversaries targeting your organization. Prioritize defenses against those specific sub-techniques.

Mapping Your Infrastructure to Sub-Techniques

Systematically assess which sub-techniques are relevant to your environment:

Windows-heavy environments are vulnerable to sub-techniques specific to Windows:

• T1547.001 (Registry Run Keys)
• T1059.003 (Windows Command Shell)
• T1112 (Modify Registry)

Linux environments are vulnerable to different sub-techniques:

• T1547.004 (Systemd Timer)
• T1059.004 (Unix Shell)
• T1053 (Scheduled Task/Job)

Cloud environments involve sub-techniques specific to cloud platforms:

• T1199 (Trusted Relationship): Cloud provider relationships
• T1538 (Cloud Service Dashboard): Accessing cloud dashboards

Document which sub-techniques are relevant to your infrastructure. This targeted assessment is more valuable than assessing all sub-techniques.

Sub-Techniques in Detection

Build detection rules for specific sub-techniques rather than parent techniques.

Too generic: "Detect Command and Scripting Interpreter usage" (T1059) Appropriate: "Detect PowerShell with suspicious command line" (T1059.001)

Specific detections:

• Reduce false positives
• Improve alert actionability
• Enable accurate coverage assessment
• Support precise incident response

When mapping detections to ATT&CK, map to sub-techniques when possible. If you detect "PowerShell execution," map to T1059.001, not just T1059.

Sub-Techniques in Threat Hunting

Threat hunting benefits from sub-technique specificity. Rather than hunting for "Credential Access" generally, hunt for specific sub-techniques:

• Hunt for T1087.001 (Account Discovery: Local Account) - search for "net user" commands
• Hunt for T1110.001 (Brute Force: Password Guessing) - search for repeated failed logons
• Hunt for T1110.002 (Brute Force: Password Spraying) - search for distributed failed logons across many accounts

These specific hunts are more feasible than hunting "Credential Access" as a whole.

Sub-Techniques in Security Controls

When implementing security controls, consider sub-technique-specific controls:

For T1078.001 (Valid Accounts: Default Accounts):

• Control: Disable or rename default accounts
• Control: Change default passwords immediately
• Detection: Alert on default account usage

For T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys):

• Control: Monitor Registry Run keys for modifications
• Control: Restrict write access to Run keys
• Detection: Alert on suspicious Run key modifications

Sub-technique specificity enables targeted control implementation.

Sub-Technique Hierarchy and Coverage

Sometimes multiple sub-techniques cover related areas. For example, multiple persistence sub-techniques:

• T1547 (Boot or Logon Autostart Execution) has many platform-specific sub-techniques
• T1053 (Scheduled Task/Job) has platform-specific sub-techniques
• T1547.001, T1547.004, T1547.006 cover different operating systems

Comprehensive defense requires addressing multiple sub-techniques under the same parent technique.

Research and Sub-Techniques

Academic research and vendor reports often document sub-techniques in detail:

A vulnerability disclosure might describe how "an attacker could exploit this to achieve privilege escalation via exploitation of unquoted service paths" (T1547.010).

These detailed disclosures map to sub-techniques naturally. Use sub-techniques to organize and reference security research.

Sub-Techniques in Compliance

Increasingly, compliance frameworks and standards reference ATT&CK sub-techniques:

• NIST has mapped its framework to ATT&CK sub-techniques
• CIS Controls reference sub-techniques
• Security audits assess sub-technique coverage

Organizations subject to compliance requirements should assess compliance at the sub-technique level.

Tools and Sub-Technique Support

Most modern security tools support sub-technique mapping:

• SIEM platforms can tag alerts with sub-technique identifiers
• EDR tools map detected behaviors to sub-techniques
• Threat intelligence platforms organize data by sub-technique
• ATT&CK Navigator displays sub-techniques alongside techniques

Verify your tools support sub-technique granularity.

Sub-Technique Gaps and Overlaps

Some sub-techniques overlap slightly. For example:

• T1110.001 (Password Guessing) vs. T1110.002 (Password Spraying) both involve trying passwords, but with different targeting strategies
• T1087.001 (Local Account Discovery) vs. T1087.002 (Domain Account Discovery) describe account discovery in different contexts

When mapping activities, choose the most specific sub-technique that accurately describes the behavior.

Conclusion

Sub-techniques add crucial granularity to MITRE ATT&CK, enabling precise threat analysis, detection engineering, and defensive prioritization. Rather than discussing generic techniques, use sub-techniques to specify exactly which attack method you're analyzing. Map your infrastructure vulnerabilities to relevant sub-techniques. Build detections for specific sub-techniques. Hunt for evidence of particular sub-techniques. This granularity transforms ATT&CK from a reference framework into a practical operational tool for modern cybersecurity teams.