MITRE ATT&CK Top techniques & sub-techniques 2023

Sina Mohebi
4 min readApr 24, 2024


MITRE ATT&CK provides a framework for classifying attacker tactics, techniques, and procedures (TTPs). Each year, security researchers analyze real-world attacks to identify the most prevalent techniques and sub-techniques used by adversaries. By understanding these top techniques and sub-techniques, security professionals can prioritize their defenses and focus on the areas most likely to be targeted by attackers.

Top 10 Most Frequently Seen Techniques 2023

|                                                  |
| 1 |
| T1059: Command and Scripting Interpreter |
| 2 |
| T1027: Obfuscated Files or Information |
| 3 |
| T1083: File and Directory Discovery |
| 4 |
| T1021: Remote Services |
| 5 |
| T1082: System Information Discovery |
| 6 |
| T1070: Indicator Removal |
| 7 |
| T1071: Application Layer Protocol |
| 8 |
| T1033: System Owner/User Discovery |
| 9 |
| T1140: Deobfuscate / Decode Files or Information |
| 10 |
| T1190: Exploit Public-Facing Application |
  • T1059: Command and Scripting Interpreter | Executes malicious code through a command shell or scripting language, allowing attackers to automate tasks, deploy malware, or steal data.
  • T1027: Obfuscated Files or Information | Hides malicious content, such as malware or exploit code, by employing techniques like encryption, packing, or encoding to evade detection by security scanners and analysts.
  • T1083: File and Directory Discovery | Identifies and locates files and folders on a system, which can be used by attackers to find sensitive data, configuration files, or potential hiding places for malware.
  • T1021: Remote Services | Interacts with remote systems to manage or exploit them. Attackers can use remote services to establish persistent access, launch denial-of-service attacks, or steal data from remote machines.
  • T1082: System Information Discovery | Gathers information about a system's configuration, software, and hardware. This information can be used to identify vulnerabilities, plan attacks, or tailor exploits to specific systems.
  • T1070: Indicator Removal | Attempts to erase traces of malicious activity, such as logs, files, or registry entries, to impede forensic investigations and make it difficult to detect the attack.
  • T1071: Application Layer Protocol | Uses legitimate application protocols, such as HTTP or SMB, for malicious purposes. This technique can help attackers bypass security controls that are designed to detect suspicious network traffic.
  • T1033: System Owner/User Discovery | Identifies the users or administrators on a system. This information can be used by attackers to target specific individuals for spear phishing attacks or privilege escalation attempts.
  • T1140: Deobfuscate/Decode Files or Information | Reverses obfuscation techniques to reveal hidden malicious content. Deobfuscation can be a complex process, but it is essential for security analysts to understand the true nature of a threat.
  • T1190: Exploit Public-Facing Application | Targets vulnerabilities in publicly accessible applications, such as web servers or remote desktop services. These vulnerabilities can allow attackers to gain unauthorized access to a system, steal data, or deploy malware.

Top 5 Most Frequently Seen MITRE ATT&CK Sub-Techniques 2023

| 1 | T1059.001: PowerShell |
| 2 | T1071.001: Web Protocols |
| 3 | T1021.001: Remote Desktop Protocol |
| 4 | T1569.002: Service Execution |
| 5 | T1070.004: File Deletion |
  • T1059.001: PowerShell | Executes commands using the PowerShell scripting language, a powerful tool for automating tasks and interacting with the Windows operating system. Attackers can leverage PowerShell to download malware, steal data, or manipulate system settings.
  • T1071.001: Web Protocols | Uses protocols like HTTP, HTTPS, FTP, or SMB to communicate with a remote system. These protocols are commonly used for legitimate web browsing and file transfer, but attackers can abuse them to exfiltrate data, deliver malware, or establish remote connections.
  • T1021.001: Remote Desktop Protocol | Leverages the Remote Desktop Protocol (RDP) to establish a remote connection to a system. RDP allows legitimate users to access their desktops remotely, but attackers can exploit vulnerabilities in RDP to gain unauthorized access to a system.
  • T1569.002: Service Execution | Executes commands through a service running on the target system. Services are programs that run in the background on a system and perform specific tasks. Attackers can exploit vulnerabilities in services or abuse legitimate functionalities to execute malicious commands.
  • T1070.004: File Deletion | Permanently removes files from the system. Attackers may delete files to destroy evidence of their activity, remove critical system files to disable security software, or free up disk space for malware.