**By technique ID (for validation)**:

 
 
### Resource Files
 
**ATT&CK Technique Keyword Index**: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> [resources/attack_keywords.idx](resources/attack_keywords.idx)
 
**ATT&CK Technique List**: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> [resources/attack_techniques.md](resources/attack_techniques.md)
 
**ATT&CK Version Changelog**: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> [resources/attack_version_changelog.md](resources/attack_version_changelog.md)
 
## Best Practice
 
Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.
 
- Do not assume your knowledge is 100% complete or up to date. Use the resources provided
- Carefully read any supplied information, perform deep analysis line by line if needed
- Search broadly for keywords, you may need to iterate multiple times to find every correct technique
- Think about the specific procedure being performed and consider the attacker (or defender) intent before determining appropriate tactic, technique or sub-technique
- Some techniques are part of multiple tactics (for ex. T1078 Valid Accounts) and may appear different for each tactic
- Other techniques are similar but distinct depending on tactic (for ex. T1213.003 and T1593.003 are both Code Respositories)
- Map to the most specific sub-technique when possible
 
### When Analysing CTI Reports
 
- IMPORTANT: Read the whole report fully, including tables of IOCs, appendixes or linked STIX files
- Screenshots contain valuable intelligence, ensure they are processed
- Break down the report into granular procedures when mapping to techniques
- Think about attacker objectives. What did they take that action? What did they hope to achieve?
- Avoid infering techniques that are not contained in the report
- Once initial analysis is complete, perform a second analysis to valdiate your findings and idenitify any missed techniques
 
### When Analysing Detections
 
- Detection logic may detect multiple techniques, map all that are applicable
- Analyse detection log sources and fields, these can help determine distinct tactics or techniques
- Consider the intent (hypothesis) of the detection, what was the engineers objective?
 
## Commonly Missed Techniques
 
### Command-Line Indicators
`-windowstyle hidden`|`-w hidden` -> T1564.003 Hidden Window
`-encodedcommand`|`-enc`|`base64` -> T1027.010 Command Obfuscation
`-noprofile`|`-ep bypass` -> T1059.001 PowerShell
 
### Encoding
Encoded payload delivered -> T1027.013 Encrypted/Encoded File
Decoded at runtime -> T1140 Deobfuscate/Decode
 
### RDP-Related
RDP connection|`.rdp` file -> T1021.001 Remote Desktop Protocol
Clipboard redirect -> T1115 Clipboard Data
Drive mapping|attached drives -> T1039 Data from Network Shared Drive
Auth redirect|intercept -> T1557 Adversary-in-the-Middle
 
### Infrastructure
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services
Typosquat|lookalike domain -> T1583.001 Domains
Compromised server -> T1584.004 Server
 
### Network
SSH tunnel|port forward -> T1572 Protocol Tunneling
Downloaded|fetched payload -> T1105 Ingress Tool Transfer
Over port 80/443 -> T1071.001 Web Protocols
 
### Social Engineering
Masqueraded|posed as|impersonated -> T1656 Impersonation
Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name
Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)
 
### Technique Pairs
T1566 Spearphishing -> check T1204 User Execution
T1027 Obfuscation -> check T1140 Deobfuscation
T1053 Scheduled Task -> check T1059 Interpreter
T1021.001 RDP -> check T1115, T1039, T1557
T1059.001 PowerShell -> check T1564.003 Hidden Window
 
### Red Flag Phrases
"downloads and executes" -> T1105 + T1059
"persistence via task" -> T1053 + T1059
"C2 over HTTPS" -> T1071.001 + T1573.002
"compromised infrastructure" -> T1584.004
"redirects traffic" -> T1572 or T1090
"harvests credentials via fake page" -> T1598.003 (Recon tactic)