MITRE ATT&CK Framework & TTPs | Red Teaming

Overview

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the de facto standard for describing adversary behavior in cybersecurity. For red teamers, it serves a dual purpose: it provides a structured vocabulary for planning operations and a post-engagement framework for communicating exactly what was tested, what succeeded, and what the defending organization should prioritize. Understanding ATT&CK at depth is not optional — it is foundational to every serious red team engagement.

This page covers the framework’s history, structure, and practical application to red team operations, including all 14 Enterprise tactics, technique hierarchies, the ATT&CK Navigator, threat-informed emulation planning, and how to map engagements back to ATT&CK for maximum defensive value.

1. ATT&CK History and Purpose

The Fort Meade Experiment (2013)

ATT&CK originated in 2013 from a MITRE research project conducted at Fort Meade, Maryland. The goal was to systematically document the post-compromise behavior of adversaries operating inside enterprise Windows networks. The researchers needed a way to describe what attackers do after they gain initial access — not the vulnerabilities they exploit, but the behaviors they exhibit once inside.

The initial dataset was built by analyzing real-world intrusions and mapping attacker actions to a structured matrix. This differed fundamentally from vulnerability-centric frameworks like CVE or CWE. ATT&CK answers the question “what do adversaries do?” rather than “what flaws do they exploit?”

Evolution and Scope

2015: ATT&CK was made publicly available, initially covering Windows-only post-compromise techniques
2017: The framework expanded to include Linux and macOS coverage
2018: PRE-ATT&CK (pre-compromise activities) was introduced, later merged into the main Enterprise matrix as Reconnaissance and Resource Development tactics
2019: The Mobile matrix was published, covering Android and iOS adversary behaviors
2020: The ICS (Industrial Control Systems) matrix was released for operational technology environments
2022: ATT&CK reached version 12 with the introduction of Campaigns as a first-class object
2023-2024: Continued refinement with sub-technique expansion, improved data source objects, and deeper detection guidance

Three Matrices

ATT&CK is organized into three technology domain matrices:

Matrix	Scope	Tactics	Primary Audience
Enterprise	Windows, Linux, macOS, Cloud (Azure AD, Office 365, Google Workspace, SaaS, IaaS), Network, Containers	14	SOC analysts, red teams, threat intel
Mobile	Android, iOS	14	Mobile security teams, app developers
ICS	Industrial control systems, SCADA, PLCs	12	OT security teams, critical infrastructure

Community-Driven Development

ATT&CK is maintained by MITRE but developed with extensive community input. Anyone can submit technique proposals, corrections, or new threat intelligence through the ATT&CK GitHub repository. Each version release undergoes public comment periods before finalization. This open model has been critical to ATT&CK’s adoption — defenders, vendors, and red teams all contribute to the knowledge base, creating a shared language that spans organizational boundaries.

2. ATT&CK Structure: Tactics, Techniques, and Procedures

ATT&CK uses a hierarchical model to categorize adversary behavior at three levels of abstraction.

Tactics (The “Why”)

Tactics represent the adversary’s objective — the reason they perform an action. Tactics answer the question “why is the attacker doing this?” There are 14 tactics in the Enterprise matrix, arranged roughly in the order an adversary might use them during an operation (though real-world attacks are rarely linear).

Techniques (The “How”)

Techniques describe the specific method an adversary uses to achieve a tactical objective. Each technique belongs to one or more tactics. Techniques answer the question “how does the attacker accomplish their goal?”

Techniques are identified by a four-digit ID prefixed with T (e.g., T1059 — Command and Scripting Interpreter).

Sub-Techniques (The “Specific How”)

Sub-techniques provide additional granularity within a technique. They describe specific implementations or variations of a parent technique. Sub-technique IDs append a three-digit suffix to the parent ID (e.g., T1059.001 — PowerShell, T1059.003 — Windows Command Shell).

As of the current version, ATT&CK Enterprise contains approximately 200 techniques and 400+ sub-techniques. This number grows with each release as the community identifies new adversary behaviors.

Procedures (The “Instance”)

Procedures are the specific implementations observed in the wild — how a particular threat group or malware sample executes a technique. Procedures are not assigned IDs; they are documented as examples within technique pages. For example, APT29 has been observed using PowerShell (T1059.001) to execute encoded commands for C2 communication — that specific observation is a procedure.

Technique Tree Example

T1059 - Command and Scripting Interpreter (Technique)
├── T1059.001 - PowerShell
├── T1059.002 - AppleScript
├── T1059.003 - Windows Command Shell
├── T1059.004 - Unix Shell
├── T1059.005 - Visual Basic
├── T1059.006 - Python
├── T1059.007 - JavaScript
├── T1059.008 - Network Device CLI
└── T1059.009 - Cloud API

T1053 - Scheduled Task/Job (Technique)
├── T1053.002 - At
├── T1053.003 - Cron
├── T1053.005 - Scheduled Task
├── T1053.006 - Systemd Timers
└── T1053.007 - Container Orchestration Job

3. The 14 Enterprise Tactics — Deep Dive

The following diagram shows how ATT&CK tactics map to the attack lifecycle. Note that real operations are non-linear — adversaries frequently loop back to earlier tactics as they expand access.

graph LR
    A[Reconnaissance] --> B[Resource Development]
    B --> C[Initial Access]
    C --> D[Execution]
    D --> E[Persistence]
    E --> F[Privilege Escalation]
    F --> G[Defense Evasion]
    G --> H[Credential Access]
    H --> I[Discovery]
    I --> J[Lateral Movement]
    J --> K[Collection]
    K --> L[Command & Control]
    L --> M[Exfiltration]
    M --> N[Impact]

    J -->|Expand Access| E
    I -->|New Targets| J
    H -->|Elevated Creds| F
    G -->|Maintain Stealth| D

    style A fill:#e74c3c,color:#fff
    style B fill:#e67e22,color:#fff
    style C fill:#f39c12,color:#fff
    style D fill:#27ae60,color:#fff
    style E fill:#2ecc71,color:#fff
    style F fill:#1abc9c,color:#fff
    style G fill:#3498db,color:#fff
    style H fill:#2980b9,color:#fff
    style I fill:#9b59b6,color:#fff
    style J fill:#8e44ad,color:#fff
    style K fill:#e74c3c,color:#fff
    style L fill:#c0392b,color:#fff
    style M fill:#d35400,color:#fff
    style N fill:#7f8c8d,color:#fff

Complete Tactic Reference

ID	Tactic	Description	Example Techniques	Red Team Application
TA0043	Reconnaissance	Gathering information to plan an operation	T1595 Active Scanning, T1592 Gather Victim Host Info, T1589 Gather Victim Identity Info	OSINT collection, target profiling, attack surface mapping
TA0042	Resource Development	Establishing resources to support operations	T1583 Acquire Infrastructure, T1587 Develop Capabilities, T1585 Establish Accounts	C2 infrastructure setup, phishing domain registration, payload development
TA0001	Initial Access	Gaining a foothold in the target environment	T1566 Phishing, T1190 Exploit Public-Facing Application, T1199 Trusted Relationship	Phishing campaigns, web app exploitation, supply chain compromise
TA0002	Execution	Running adversary-controlled code	T1059 Command and Scripting Interpreter, T1204 User Execution, T1047 WMI	Payload execution, script-based post-exploitation
TA0003	Persistence	Maintaining access across restarts	T1053 Scheduled Task/Job, T1547 Boot/Logon Autostart, T1136 Create Account	Implant persistence, backdoor accounts, service installation
TA0004	Privilege Escalation	Gaining higher-level permissions	T1068 Exploitation for Privilege Escalation, T1548 Abuse Elevation Control, T1134 Access Token Manipulation	Local privesc, token impersonation, UAC bypass
TA0005	Defense Evasion	Avoiding detection	T1027 Obfuscated Files, T1055 Process Injection, T1070 Indicator Removal	AV/EDR bypass, log tampering, AMSI bypass
TA0006	Credential Access	Stealing credentials	T1003 OS Credential Dumping, T1558 Steal or Forge Kerberos Tickets, T1110 Brute Force	Credential harvesting, Kerberoasting, LSASS dumping
TA0007	Discovery	Understanding the target environment	T1087 Account Discovery, T1082 System Information Discovery, T1018 Remote System Discovery	Network enumeration, AD reconnaissance, trust mapping
TA0008	Lateral Movement	Moving through the environment	T1021 Remote Services, T1550 Use Alternate Authentication Material, T1570 Lateral Tool Transfer	RDP pivoting, pass-the-hash, WinRM lateral movement
TA0009	Collection	Gathering data of interest	T1005 Data from Local System, T1039 Data from Network Shared Drive, T1114 Email Collection	Data staging, email scraping, screenshot capture
TA0011	Command & Control	Communicating with compromised systems	T1071 Application Layer Protocol, T1573 Encrypted Channel, T1090 Proxy	C2 channel establishment, domain fronting, DNS tunneling
TA0010	Exfiltration	Stealing data from the target	T1041 Exfiltration Over C2, T1048 Exfiltration Over Alternative Protocol, T1567 Exfiltration Over Web Service	Data theft simulation, DLP testing
TA0040	Impact	Disrupting or destroying systems and data	T1486 Data Encrypted for Impact, T1489 Service Stop, T1529 System Shutdown/Reboot	Ransomware simulation, destructive action demonstration

TA0043 — Reconnaissance

Reconnaissance encompasses all activities where adversaries gather information to plan future operations. This tactic was added to the Enterprise matrix in ATT&CK v8, absorbing content previously in the separate PRE-ATT&CK matrix.

Key Techniques:

T1595 — Active Scanning: Port scanning, vulnerability scanning, and wordlist-based directory brute-forcing against target infrastructure. Includes sub-techniques for scanning IP blocks (T1595.001) and vulnerability scanning (T1595.002).
T1589 — Gather Victim Identity Information: Collecting employee names, email addresses, credentials from breach databases, and organizational role information. Critical for spearphishing target selection.
T1593 — Search Open Websites/Domains: Mining social media, job postings, code repositories, and paste sites for intelligence. Red teams routinely find cloud API keys, internal hostnames, and technology stack details in public GitHub repos.
T1592 — Gather Victim Host Information: Identifying operating systems, software versions, and security tooling through various methods including analyzing HTTP headers and JavaScript fingerprinting.

Red Team Relevance: Reconnaissance quality directly determines operation success. A red team that spends adequate time on OSINT will identify phishing targets, technology stacks, and potential entry points that make every subsequent phase more efficient. Document every reconnaissance technique used for ATT&CK mapping.

Detection Opportunities: External reconnaissance is inherently difficult to detect. Active scanning may generate alerts in perimeter IDS/IPS, and monitoring for credential stuffing attempts can catch breach-data-based targeting.

TA0042 — Resource Development

Resource Development covers the adversary’s preparation activities — acquiring infrastructure, developing tools, and establishing accounts that will be used during the operation.

Key Techniques:

T1583 — Acquire Infrastructure: Purchasing domains, renting VPS instances, and provisioning cloud resources for C2, phishing, and staging. Includes sub-techniques for domains (T1583.001), DNS servers (T1583.002), virtual private servers (T1583.003), and serverless infrastructure (T1583.006).
T1587 — Develop Capabilities: Building custom malware, exploits, and tools. Red teams developing bespoke payloads to bypass specific EDR products fall under this technique.
T1585 — Establish Accounts: Creating social media personas, email accounts, and cloud service accounts to support social engineering and infrastructure operations.
T1588 — Obtain Capabilities: Acquiring tools, exploits, and certificates from third parties rather than developing them in-house. Using open-source offensive tools, purchasing code-signing certificates, and obtaining stolen credentials all map here.

Red Team Relevance: Planning C2 infrastructure, registering look-alike domains, and preparing payloads are resource development activities. This phase directly feeds into C2 Frameworks selection and deployment.

Detection Opportunities: Certificate transparency logs, domain registration monitoring, and threat intelligence feeds that track newly observed infrastructure.

TA0001 — Initial Access

Initial Access techniques describe how adversaries gain their first foothold inside the target environment.

Key Techniques:

T1566 — Phishing: The most common initial access vector for both real adversaries and red teams. Sub-techniques cover spearphishing attachments (T1566.001), links (T1566.002), and via service (T1566.003, e.g., through Teams or Slack messages).
T1190 — Exploit Public-Facing Application: Exploiting vulnerabilities in internet-facing services — web applications, VPNs, mail servers, and edge devices. Red teams frequently target VPN concentrators and web applications for initial access.
T1199 — Trusted Relationship: Abusing access granted through third-party relationships — MSP connections, vendor VPN tunnels, and supply chain integrations.
T1078 — Valid Accounts: Using legitimate credentials (from breach databases, credential stuffing, or purchase) to authenticate directly. Increasingly common as organizations expose cloud services and VPNs to the internet.
T1195 — Supply Chain Compromise: Compromising software updates, development tools, or hardware components before they reach the target. Red teams may simulate this by targeting CI/CD pipelines or package repositories.

Red Team Relevance: Initial access is the highest-risk phase of any red team operation. The technique chosen must balance realism with operational security. Phishing remains the most commonly used approach, but exploiting public-facing applications provides a more covert entry point.

Detection Opportunities: Email security gateways, web application firewalls, impossible-travel alerts on authentication, and monitoring for anomalous VPN connections.

TA0002 — Execution

Execution encompasses techniques that result in adversary-controlled code running on a target system.

Key Techniques:

T1059 — Command and Scripting Interpreter: The workhorse of post-exploitation. PowerShell (T1059.001), Windows Command Shell (T1059.003), and Python (T1059.006) are the most frequently used by red teams. PowerShell remains the most versatile option on Windows targets despite increased scrutiny.
T1204 — User Execution: Relying on a user to execute a malicious payload — opening a document, clicking a link, or running a program. This pairs directly with phishing for initial access.
T1047 — Windows Management Instrumentation (WMI): Using WMI for both local and remote code execution. wmic process call create is a classic lateral movement execution technique.
T1053 — Scheduled Task/Job: Creating scheduled tasks or cron jobs to execute payloads. Serves both execution and persistence objectives.

Red Team Relevance: Execution technique selection is heavily influenced by the target’s defensive tooling. An environment running a mature EDR product may require in-memory execution via .NET reflection or direct syscalls to avoid detection, while a less mature environment may allow straightforward PowerShell.

Detection Opportunities: Script block logging, module logging, process creation events (Sysmon Event ID 1), WMI event subscriptions, and command-line argument monitoring.

TA0003 — Persistence

Persistence techniques allow adversaries to maintain access to a system across restarts, credential changes, and other interruptions.

Key Techniques:

T1547 — Boot or Logon Autostart Execution: Registry Run keys (T1547.001), startup folder items, and authentication packages. The most straightforward persistence mechanisms on Windows.
T1053 — Scheduled Task/Job: Scheduled tasks (T1053.005) and cron jobs (T1053.003) provide reliable persistence that survives reboots and can execute at specified intervals.
T1136 — Create Account: Creating local or domain accounts for persistent access. Domain admin creation is noisy but effective; local accounts on rarely audited systems are more subtle.
T1098 — Account Manipulation: Modifying existing accounts — adding credentials to service principals, granting additional permissions, or adding SSH authorized keys.
T1505 — Server Software Component: Web shells (T1505.003) remain extremely popular for persistence on internet-facing servers. They are lightweight, blend with legitimate web content, and survive most incident response actions short of full server rebuilds.

Red Team Relevance: Red teams should deploy multiple persistence mechanisms at different levels (user-level, admin-level, domain-level) to test the defender’s ability to find and eradicate all footholds. Document each mechanism for the post-engagement report.

Detection Opportunities: Registry monitoring, scheduled task creation events, new account creation alerts, file integrity monitoring on web directories, and autoruns analysis.

TA0004 — Privilege Escalation

Privilege Escalation techniques allow adversaries to obtain higher-level permissions on a system or within a network.

Key Techniques:

T1068 — Exploitation for Privilege Escalation: Exploiting local kernel or software vulnerabilities to gain SYSTEM or root privileges. Print Spooler (PrintNightmare), various kernel exploits, and service-specific vulnerabilities are commonly used.
T1548 — Abuse Elevation Control Mechanism: Bypassing User Account Control (T1548.002) on Windows, using sudo misconfigurations (T1548.003) on Linux, and abusing setuid/setgid binaries.
T1134 — Access Token Manipulation: Token impersonation and theft. Tools like Incognito and built-in Windows APIs allow impersonation of tokens from other logged-in users.
T1078 — Valid Accounts: Domain admin credentials obtained through credential access techniques provide the most comprehensive privilege escalation in Active Directory environments.
T1484 — Domain Policy Modification: Modifying Group Policy Objects or domain trust settings to escalate privileges across the domain. GPO abuse can grant local admin rights on targeted systems.

Red Team Relevance: Privilege escalation is often the critical juncture in an operation. Moving from a standard user to local administrator, and from local administrator to domain administrator, are the two most important escalation milestones. The path taken should be documented with ATT&CK technique IDs.

Detection Opportunities: Sysmon driver/image load events, UAC bypass monitoring, token manipulation detection, GPO modification alerts, and anomalous process elevation chains.

TA0005 — Defense Evasion

Defense Evasion is the largest tactic in ATT&CK, reflecting the arms race between attackers and defenders. Techniques here focus on avoiding detection by security tools and analysts.

Key Techniques:

T1055 — Process Injection: Injecting code into legitimate processes to execute in their context. Classic DLL injection (T1055.001), process hollowing (T1055.012), and thread execution hijacking (T1055.003) are staples of offensive tooling.
T1027 — Obfuscated Files or Information: Encoding, encrypting, or packing payloads to evade signature-based detection. Sub-techniques include software packing (T1027.002), steganography (T1027.003), and stripped payloads (T1027.008).
T1070 — Indicator Removal: Clearing event logs (T1070.001), deleting files (T1070.004), and timestomping (T1070.006) to remove evidence of adversary activity.
T1562 — Impair Defenses: Disabling or modifying security tools — killing EDR processes, disabling Windows Defender, or modifying firewall rules. T1562.001 (Disable or Modify Tools) is the most direct approach.
T1036 — Masquerading: Renaming tools to match legitimate system binaries, matching binary metadata, and using legitimate paths to blend in. Naming a payload svchost.exe and placing it in a system directory is a basic but effective example.

Red Team Relevance: Defense evasion is where red team skill is most visibly demonstrated. The ability to operate undetected in an environment with modern EDR, SIEM, and a skilled SOC separates competent red teams from merely adequate ones. Every evasion technique used should be mapped so the blue team can improve detection.

Detection Opportunities: Behavioral detection (process injection patterns), AMSI for script-based attacks, ETW telemetry for .NET execution, Sysmon for process creation and file operations, and integrity monitoring for security tool configurations.

TA0006 — Credential Access

Credential Access techniques focus on stealing account names, passwords, hashes, and tokens.

Key Techniques:

T1003 — OS Credential Dumping: The most critical credential access technique family. LSASS memory dumping (T1003.001), SAM database extraction (T1003.002), NTDS.dit extraction (T1003.003), and DCSync (T1003.006) provide different levels of credential access depending on current privileges.
T1558 — Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003), AS-REP Roasting (T1558.004), Golden Ticket (T1558.001), and Silver Ticket (T1558.002) attacks. Kerberoasting is one of the highest-value techniques available to red teams in Active Directory environments.
T1110 — Brute Force: Password spraying (T1110.003) against online services is frequently the first credential access technique attempted. It targets the weakest link in any organization — password reuse and weak passwords.
T1557 — Adversary-in-the-Middle: LLMNR/NBT-NS poisoning (T1557.001) and ARP spoofing to intercept authentication traffic and capture hashes. Responder and mitm6 are the standard tools.

Red Team Relevance: Credential access is the engine that drives lateral movement. A single domain administrator hash or a Kerberos golden ticket can compromise an entire Active Directory forest. Red teams should demonstrate the full credential access chain — from initial password spray to domain compromise — to illustrate the cascading impact of weak credential hygiene.

Detection Opportunities: LSASS access monitoring (Sysmon Event ID 10), Kerberos ticket request anomalies, honey tokens and honey credentials, password spray detection through failed authentication correlation, and network traffic analysis for poisoning attacks.

TA0007 — Discovery

Discovery techniques allow adversaries to learn about the target environment — what systems exist, what permissions are available, and where valuable data resides.

Key Techniques:

T1087 — Account Discovery: Enumerating local accounts (T1087.001), domain accounts (T1087.002), email accounts (T1087.003), and cloud accounts (T1087.004). net user /domain and BloodHound are the starting points for AD enumeration.
T1082 — System Information Discovery: Gathering OS version, hostname, architecture, and installed patches. Fundamental for identifying privilege escalation opportunities.
T1018 — Remote System Discovery: Identifying other hosts on the network through ARP scans, DNS enumeration, net group queries, and LDAP queries. Feeds directly into lateral movement planning.
T1069 — Permission Groups Discovery: Enumerating local groups, domain groups, and cloud groups to identify high-value accounts and understand the privilege hierarchy.
T1046 — Network Service Discovery: Port scanning internal systems to identify running services and potential lateral movement targets.

Red Team Relevance: Discovery informs every subsequent phase of the operation. Thorough discovery — particularly AD enumeration via tools like BloodHound and SharpHound — reveals the shortest path to domain dominance. Excessive or careless discovery activity can trigger alerts, so red teams must balance thoroughness with stealth.

Detection Opportunities: LDAP query monitoring, anomalous SMB enumeration patterns, internal port scan detection, and correlation of discovery commands from a single source.

TA0008 — Lateral Movement

Lateral Movement techniques enable adversaries to move between systems in the target environment.

Key Techniques:

T1021 — Remote Services: Using legitimate remote access protocols — RDP (T1021.001), SMB/Windows Admin Shares (T1021.002), SSH (T1021.004), WinRM (T1021.006), and VNC (T1021.005) — to move between systems.
T1550 — Use Alternate Authentication Material: Pass-the-Hash (T1550.002), Pass-the-Ticket (T1550.003), and web session cookies (T1550.004) enable authentication without knowing the plaintext password.
T1570 — Lateral Tool Transfer: Moving tools and payloads between compromised systems using SMB shares, SCP, or other file transfer mechanisms.
T1563 — Remote Service Session Hijacking: Taking over existing RDP sessions (T1563.002) or SSH sessions without needing credentials for the target service.

Red Team Relevance: Lateral movement is where operations succeed or fail at scale. The ability to move from the initial foothold to the objective — whether that is a domain controller, a database server, or a specific user’s workstation — determines whether the engagement achieves its goals. Using legitimate administration protocols (RDP, WinRM) makes detection more difficult.

Detection Opportunities: Anomalous logon events (Event ID 4624 Type 3 and Type 10), lateral movement tool signatures, unusual SMB traffic patterns, and network segmentation violations.

TA0009 — Collection

Collection techniques are used to gather information relevant to the adversary’s objectives.

Key Techniques:

T1005 — Data from Local System: Searching local filesystems for sensitive documents, configuration files, and credentials stored in plaintext.
T1039 — Data from Network Shared Drive: Accessing network shares to find sensitive data. Many organizations store critical documents on shared drives with overly permissive access controls.
T1114 — Email Collection: Accessing email through local Outlook data files (T1114.001), remote Exchange servers (T1114.002), or mail forwarding rules (T1114.003).
T1113 — Screen Capture: Capturing screenshots to demonstrate access to sensitive applications or data without exfiltrating the actual files.
T1560 — Archive Collected Data: Compressing and optionally encrypting collected data before exfiltration. Using standard tools like 7-Zip or WinRAR with password protection.

Red Team Relevance: Collection demonstrates the real-world impact of a compromise. For red team engagements, collecting (and documenting) access to crown jewel assets — financial data, PII, intellectual property, executive communications — makes the engagement report tangible and actionable for leadership.

Detection Opportunities: Anomalous file access patterns, large archive creation events, email forwarding rule creation, and DLP policy triggers.

TA0011 — Command and Control

Command and Control (C2) techniques describe how adversaries communicate with systems under their control within the target network.

Key Techniques:

T1071 — Application Layer Protocol: Using HTTP/HTTPS (T1071.001), DNS (T1071.004), or mail protocols (T1071.003) for C2 communication. HTTPS is the most common because it blends with normal traffic and is encrypted.
T1573 — Encrypted Channel: Encrypting C2 traffic with symmetric (T1573.001) or asymmetric (T1573.002) cryptography to prevent content inspection.
T1090 — Proxy: Using external proxies, multi-hop proxies (T1090.003), or domain fronting (T1090.004) to obscure C2 infrastructure.
T1572 — Protocol Tunneling: Encapsulating C2 traffic within other protocols — DNS tunneling, ICMP tunneling, or SSH tunneling.
T1102 — Web Service: Using legitimate web services (GitHub, Slack, Google Docs, social media APIs) as C2 channels to blend with normal traffic.

Red Team Relevance: C2 channel selection is a critical operational decision. See C2 Frameworks for detailed guidance on selecting and deploying C2 infrastructure. The C2 technique used should be documented and mapped to ATT&CK for the engagement report.

Detection Opportunities: JA3/JA3S fingerprinting, DNS query volume and entropy analysis, HTTP beaconing pattern detection, SNI inspection, and unusual process-to-network-connection mappings.

TA0010 — Exfiltration

Exfiltration techniques describe how adversaries steal data from the target environment.

Key Techniques:

T1041 — Exfiltration Over C2 Channel: The simplest approach — sending collected data out through the existing C2 channel. Convenient but may be constrained by bandwidth and detection risk.
T1048 — Exfiltration Over Alternative Protocol: Using a different protocol than the C2 channel — DNS exfiltration, FTP, or custom protocols over unusual ports.
T1567 — Exfiltration Over Web Service: Uploading data to cloud storage (T1567.002), code repositories, or other legitimate web services. Extremely difficult to distinguish from normal business usage.
T1029 — Scheduled Transfer: Exfiltrating data at specific times to blend with normal traffic patterns or avoid detection during high-monitoring periods.

Red Team Relevance: Data exfiltration demonstrates the ultimate impact of a breach. Red teams should test DLP controls by attempting exfiltration through multiple channels — C2, cloud storage, email, and physical media where in-scope. Document the volume, method, and content type of exfiltrated data.

Detection Opportunities: DLP solutions, network flow analysis for unusual outbound data volumes, cloud service upload monitoring, and DNS exfiltration detection (query length and frequency analysis).

TA0040 — Impact

Impact techniques are used to disrupt availability or compromise integrity by manipulating business and operational processes.

Key Techniques:

T1486 — Data Encrypted for Impact: Ransomware — encrypting files and demanding payment. Red teams may simulate this by encrypting test files in isolated directories rather than performing actual encryption at scale.
T1489 — Service Stop: Stopping critical services to cause operational disruption. Often precedes ransomware deployment to disable backup agents and security tools.
T1485 — Data Destruction: Wiping data from disk, deleting databases, or corrupting files. Red teams typically demonstrate capability rather than executing destruction.
T1529 — System Shutdown/Reboot: Forcing system shutdowns after deploying ransomware or as a denial-of-service technique.
T1531 — Account Access Removal: Deleting accounts, changing passwords, or disabling accounts to lock out legitimate users during an attack.

Red Team Relevance: Impact techniques must be handled with extreme care during engagements. Red teams should clearly define impact simulation boundaries in the Rules of Engagement. Typically, red teams demonstrate the ability to execute impact actions (e.g., showing they could deploy ransomware) without actually performing them on production systems.

Detection Opportunities: Ransomware canary files, volume shadow copy deletion monitoring, mass file modification alerts, and critical service stop event monitoring.

4. ATT&CK Navigator

The ATT&CK Navigator is a web-based tool for visualizing, annotating, and exploring the ATT&CK matrix. For red teams, it is the primary tool for planning operations, documenting coverage, and communicating results to stakeholders.

Core Capabilities

Technique Selection and Scoring: Assign numeric scores and colors to techniques to represent coverage, priority, or detection capability
Layer Creation: Build multiple layers representing different views — planned techniques, executed techniques, detection coverage, or threat group profiles
Layer Operations: Combine layers using set operations (union, intersection, difference) to identify coverage gaps or compare planned versus actual technique usage
Threat Group Overlays: Load ATT&CK’s built-in threat group technique sets as layers
JSON Export/Import: Layers are stored as JSON files that can be versioned, shared, and programmatically generated
SVG/Excel Export: Generate visual outputs for reports and presentations

Creating a Threat Profile Layer

Red teams use the Navigator to build engagement-specific layers:

Start with threat intelligence: Identify the most relevant threat groups for the target’s sector
Load group layers: Import technique sets for those groups from ATT&CK
Score by relevance: Assign scores based on technique applicability to the target environment
Intersect with scope: Remove techniques that are out of scope for the engagement
Export the plan: Save the JSON layer as the operation plan baseline
Post-engagement update: Mark techniques as successfully executed, blocked, or detected

Example ATT&CK Navigator Layer JSON

{
  "name": "Red Team Op - Financial Sector Q1 2026",
  "versions": {
    "attack": "15",
    "navigator": "5.1.0",
    "layer": "4.5"
  },
  "domain": "enterprise-attack",
  "description": "Planned techniques for financial sector red team engagement based on FIN7 and Carbanak TTPs",
  "filters": {
    "platforms": ["Windows", "Linux", "Azure AD", "Office 365"]
  },
  "sorting": 3,
  "layout": {
    "layout": "side",
    "aggregateFunction": "average",
    "showID": true,
    "showName": true,
    "showAggregateScores": true,
    "countUnscored": false
  },
  "hideDisabled": false,
  "techniques": [
    {
      "techniqueID": "T1566.001",
      "tactic": "initial-access",
      "color": "#e60d0d",
      "comment": "Spearphishing with macro-enabled document targeting finance department",
      "score": 100,
      "enabled": true
    },
    {
      "techniqueID": "T1059.001",
      "tactic": "execution",
      "color": "#e60d0d",
      "comment": "PowerShell for initial payload execution and C2 stager",
      "score": 100,
      "enabled": true
    },
    {
      "techniqueID": "T1003.001",
      "tactic": "credential-access",
      "color": "#e60d0d",
      "comment": "LSASS dump via custom MiniDumpWriteDump implementation",
      "score": 90,
      "enabled": true
    },
    {
      "techniqueID": "T1021.002",
      "tactic": "lateral-movement",
      "color": "#ff6600",
      "comment": "SMB lateral movement using harvested credentials",
      "score": 80,
      "enabled": true
    },
    {
      "techniqueID": "T1071.001",
      "tactic": "command-and-control",
      "color": "#e60d0d",
      "comment": "HTTPS C2 with malleable profiles mimicking CDN traffic",
      "score": 100,
      "enabled": true
    },
    {
      "techniqueID": "T1567.002",
      "tactic": "exfiltration",
      "color": "#ff6600",
      "comment": "Exfiltration to attacker-controlled cloud storage bucket",
      "score": 75,
      "enabled": true
    }
  ],
  "gradient": {
    "colors": ["#ffffff", "#ff6600", "#e60d0d"],
    "minValue": 0,
    "maxValue": 100
  },
  "legendItems": [
    { "label": "Planned - High Priority", "color": "#e60d0d" },
    { "label": "Planned - Medium Priority", "color": "#ff6600" },
    { "label": "Planned - Low Priority", "color": "#ffcc00" },
    { "label": "Executed Successfully", "color": "#00cc00" },
    { "label": "Blocked/Detected", "color": "#0066cc" }
  ],
  "metadata": [
    { "name": "engagement_id", "value": "RT-2026-001" },
    { "name": "target_sector", "value": "Financial Services" },
    { "name": "threat_profile", "value": "FIN7 / Carbanak" }
  ],
  "showTacticRowBackground": true,
  "tacticRowBackground": "#205b8f",
  "selectTechniquesAcrossTactics": false,
  "selectSubtechniquesWithParent": false,
  "selectVisibleTechniques": false
}

One of the most valuable uses of the Navigator is bridging the gap between red and blue teams. After an engagement, red teams can:

Create a “red layer” showing all techniques executed during the operation, with comments documenting specific procedures
Request a “blue layer” from the SOC showing their detection coverage and confidence levels
Overlay the layers to identify gaps — techniques the red team used that the blue team cannot detect
Generate a joint remediation layer prioritized by risk and detection feasibility

This collaborative approach is the foundation of Purple Teaming exercises.

5. Data Sources and Detections

ATT&CK v10 introduced Data Source objects — structured representations of the telemetry needed to detect specific techniques. This addition transformed ATT&CK from a purely offensive framework into a detection engineering resource.

Data Source Structure

Each data source has:

Name: The observable category (e.g., Process, File, Network Traffic)
ID: A unique identifier (DS####)
Description: What the data source represents
Data Components: Specific observable events within the data source (e.g., Process Creation, File Modification)
Collection Layers: Where the data can be collected (host, network, cloud)

Key Data Sources for Red Team Awareness

Red teams must understand data sources because they reveal what telemetry defenders can use to detect specific techniques:

Data Source	Data Components	Relevant Techniques	Red Team Implication
Process (DS0009)	Creation, Termination, Access, Modification	T1055, T1059, T1047	Process injection and execution are heavily monitored
File (DS0022)	Creation, Modification, Deletion, Access	T1027, T1070, T1005	File-based operations leave artifacts
Network Traffic (DS0029)	Flow, Content, Connection Creation	T1071, T1573, T1048	C2 and exfiltration traffic is analyzed
Command (DS0017)	Command Execution	T1059, T1047, T1053	Command-line logging captures execution details
Windows Registry (DS0024)	Key Creation, Modification, Deletion	T1547, T1112, T1562	Registry persistence is well-monitored
Logon Session (DS0028)	Creation, Metadata	T1078, T1021, T1550	Authentication events are a primary detection source
Active Directory (DS0026)	Object Creation, Modification, Access	T1087, T1069, T1484	AD changes generate security events

Detection Engineering Connection

The relationship between ATT&CK techniques and data sources creates a direct pipeline from adversary behavior to detection rules:

Technique identification: Red team identifies a technique to use (e.g., T1003.001 — LSASS Memory)
Data source lookup: ATT&CK maps this to Process Access (DS0009) data component
Telemetry requirement: Defenders need Sysmon Event ID 10 or equivalent EDR telemetry for LSASS access monitoring
Detection rule: A detection can be built looking for non-standard processes accessing lsass.exe
Red team adaptation: Knowing this detection exists, the red team chooses an LSASS dumping technique that avoids the standard access patterns (e.g., using a direct syscall to NtReadVirtualMemory instead of OpenProcess + MiniDumpWriteDump)

This iterative cycle is what makes ATT&CK valuable to both offense and defense.

6. ATT&CK Evaluations

MITRE Engenuity conducts annual ATT&CK Evaluations — structured assessments of commercial security products against emulated adversary behaviors. These evaluations are uniquely valuable because they test real products against real adversary tradecraft, with results mapped directly to ATT&CK techniques.

Evaluation Rounds

Round	Year	Emulated Adversaries	Focus Area
Round 1	2018	APT3	Initial evaluation methodology development
Round 2	2020	APT29 (Cozy Bear)	Sophisticated nation-state tradecraft
Round 3	2021	Carbanak + FIN7	Financially motivated adversaries targeting hospitality and finance
Round 4	2022	Wizard Spider + Sandworm	Ransomware operators and destructive attacks
Round 5	2023	Turla	Advanced persistent threat with complex multi-stage operations
Round 6	2024	menuPass (APT10) + OilRig (APT34)	Multi-platform espionage operations

How to Interpret Results

ATT&CK Evaluations do not rank or score vendors. Results are presented as detection categories:

Not Applicable (N/A): The test step was not evaluated for this vendor
None: No detection of the adversary behavior
Telemetry: Raw data was recorded but no detection logic fired
General: A general detection alert with no specific technique identification
Tactic: Detection correctly identified the tactical goal
Technique: Detection correctly identified the specific ATT&CK technique

Key principles for interpreting results:

No scores or rankings: MITRE intentionally avoids ranking vendors. Any “scorecard” is a third-party interpretation.
Configuration matters: Vendors choose their configuration for the test. Default configs may differ from what customers deploy.
Delayed detections count differently: Some vendors detect behaviors in real-time; others require analyst investigation of telemetry.
Protection vs. detection: Some rounds test both detection (visibility) and protection (blocking). A product that blocks an action prevents later steps from being tested.

What Evaluations Mean for Red Teams

ATT&CK Evaluations give red teams intelligence about the defensive tools they will face:

Detection gaps: Techniques with low detection rates across vendors indicate areas where red team operations are less likely to be caught
Common detection patterns: Techniques detected by most vendors indicate well-understood adversary behaviors that require more sophisticated evasion
Telemetry vs. detection: A vendor recording telemetry but not alerting means the data exists for retrospective analysis, even if the SOC did not receive a real-time alert
Product-specific blindspots: If the target organization’s EDR vendor performed poorly on a specific technique in evaluations, that technique may be a viable operational approach

7. ICS ATT&CK Matrix

The ICS ATT&CK matrix addresses adversary behavior in industrial control system and operational technology (OT) environments. It was released in 2020 and contains techniques specific to SCADA systems, PLCs, RTUs, HMIs, and engineering workstations.

Key Differences from Enterprise ATT&CK

Unique tactics: ICS ATT&CK includes tactics not found in Enterprise, such as Inhibit Response Function and Impair Process Control, which directly target physical processes
Physical impact: Techniques in the ICS matrix can result in physical consequences — equipment damage, safety system compromise, and environmental harm
Convergence zone: Many ICS attacks begin in the IT network (Enterprise ATT&CK) and pivot into the OT network (ICS ATT&CK), requiring both matrices
Fewer techniques: The ICS matrix is smaller (~80 techniques) reflecting the more constrained adversary behavior space in OT environments

ICS-Specific Tactics

Tactic	Description	Example Techniques
Initial Access	Gaining access to ICS networks	Engineering workstation compromise, Rogue master device
Execution	Running code on ICS systems	Change program, Modify controller tasking
Persistence	Maintaining access in OT	Module firmware, Project file infection
Evasion	Avoiding detection in OT	Rootkit, Spoof reporting message
Discovery	Mapping OT environment	Network connection enumeration, Remote system information discovery
Lateral Movement	Moving through OT	Default credentials, Remote file copy
Collection	Gathering OT data	Automated collection, Point and tag identification
Command and Control	Communicating with OT implants	Commonly used port, Connection proxy
Inhibit Response Function	Preventing safety/response	Block command message, Modify alarm settings
Impair Process Control	Disrupting physical process	Brute force I/O, Modify parameter
Impact	Causing physical/operational damage	Damage to property, Loss of safety, Denial of control

Red Team Relevance for Critical Infrastructure

Red teaming in ICS environments requires:

Dual-matrix planning: Map the IT portion of the operation to Enterprise ATT&CK and the OT portion to ICS ATT&CK
Safety-first approach: ICS red team engagements must operate within strict safety boundaries — simulating impact rather than causing it
Protocol-specific knowledge: Understanding MODBUS, DNP3, OPC UA, EtherNet/IP, and other industrial protocols is essential
IT/OT convergence testing: Testing the boundary between IT and OT networks is often the most valuable aspect of ICS red team engagements

8. Mapping Engagements to ATT&CK

Mapping red team operations to ATT&CK transforms engagement results from narrative war stories into structured, actionable intelligence. This is the bridge between offensive operations and defensive improvement.

Pre-Engagement Mapping

Before the operation begins:

Define threat profile: Select the adversary groups most relevant to the target (see Section 9 below)
Build technique shortlist: Use the Navigator to create a layer of planned techniques
Identify scope boundaries: Mark techniques that are out of scope per the Rules of Engagement
Establish success criteria: Define which technique chains constitute “mission success” per the engagement objectives
Coordinate with Frameworks to align ATT&CK mapping with the overarching engagement methodology

During the Operation — Building the ATT&CK Log

Maintain a real-time operation log that maps every significant action to an ATT&CK technique:

[2026-03-15 09:23:00] TA0043/T1595.002 - Vulnerability scan against external perimeter (Nessus)
[2026-03-15 14:15:00] TA0042/T1583.001 - Registered domain financ1al-portal.com for phishing
[2026-03-15 16:30:00] TA0042/T1587.001 - Developed macro-enabled phishing document with custom loader
[2026-03-16 08:00:00] TA0001/T1566.001 - Sent spearphishing emails to 5 finance department targets
[2026-03-16 10:42:00] TA0002/T1204.002 - User JSMITH opened phishing document and enabled macros
[2026-03-16 10:42:30] TA0002/T1059.001 - PowerShell stager executed, C2 beacon established
[2026-03-16 10:43:00] TA0011/T1071.001 - HTTPS C2 channel active to teamserver via CDN
[2026-03-16 11:15:00] TA0007/T1082 - System enumeration on JSMITH workstation
[2026-03-16 11:20:00] TA0007/T1087.002 - Active Directory user and group enumeration
[2026-03-16 13:00:00] TA0004/T1548.002 - UAC bypass via fodhelper.exe for local admin
[2026-03-16 13:05:00] TA0006/T1003.001 - LSASS credential dump (obtained 3 domain accounts)
[2026-03-16 14:30:00] TA0008/T1021.002 - Lateral movement to FILESRV01 via SMB
[2026-03-16 15:00:00] TA0009/T1039 - Accessed financial reports on \\FILESRV01\finance$
[2026-03-16 15:30:00] TA0010/T1567.002 - Exfiltrated sample data to cloud storage

Post-Engagement Mapping

After the operation:

Update the Navigator layer: Change technique colors from “planned” to “executed successfully,” “blocked,” or “detected”
Add procedure details: Document exactly how each technique was implemented (the specific tools, commands, and configurations used)
Correlate with detection: Work with the SOC to determine which techniques triggered alerts and which went undetected
Gap analysis: Identify the techniques that succeeded without detection — these represent the organization’s highest-priority defensive improvements
Generate a Purple Teaming remediation plan based on detected gaps

9. Building Threat Profiles

Threat-informed red teaming means basing operations on real adversary behavior rather than generic penetration testing. ATT&CK provides the data to build accurate threat profiles that make engagements realistic and relevant.

Using Cyber Threat Intelligence (CTI)

The process for building a threat profile:

Identify relevant threat actors: Based on the target’s industry, geography, and asset value, determine which APT groups or cybercriminal organizations are most likely to target them
Extract technique sets: Pull the documented ATT&CK techniques for each relevant group from the ATT&CK knowledge base
Weight by recency: Prioritize techniques observed in recent campaigns over historical ones
Account for tool evolution: Threat actors change tooling — a group that used Mimikatz in 2020 may use a custom LSASS dumping tool in 2026
Layer in sector-specific intelligence: Use ISAC reports, vendor threat intelligence, and government advisories to supplement ATT&CK data

APT Groups Commonly Emulated

APT Group	Also Known As	Primary Targets	Key ATT&CK Techniques	Emulation Value
APT29	Cozy Bear, Nobelium, Midnight Blizzard	Government, technology, think tanks	T1195.002 (Supply Chain), T1059.001 (PowerShell), T1071.001 (HTTPS C2), T1550.001 (Application Access Token)	Nation-state sophistication, supply chain attacks
APT28	Fancy Bear, Forest Blizzard	Government, military, media	T1566.001 (Spearphishing Attachment), T1203 (Exploitation for Client Execution), T1003 (Credential Dumping), T1041 (Exfil Over C2)	Aggressive credential harvesting, zero-day usage
FIN7	Carbanak, Carbon Spider	Finance, hospitality, retail	T1566.001 (Spearphishing), T1059.001 (PowerShell), T1055 (Process Injection), T1071.001 (HTTPS C2)	Financially motivated, point-of-sale targeting
Lazarus Group	HIDDEN COBRA, Diamond Sleet	Finance, cryptocurrency, defense	T1566.002 (Spearphishing Link), T1059.007 (JavaScript), T1486 (Ransomware), T1496 (Resource Hijacking)	Destructive operations, cryptocurrency theft
Wizard Spider	GOLD ULRICK, Grim Spider	Healthcare, manufacturing, government	T1566.001 (Spearphishing), T1486 (Ransomware), T1489 (Service Stop), T1021.002 (SMB Shares)	Ransomware operations (Ryuk/Conti)
Turla	Venomous Bear, Secret Blizzard	Government, diplomatic, military	T1071.004 (DNS C2), T1090.003 (Multi-hop Proxy), T1055 (Process Injection), T1027 (Obfuscation)	Advanced C2, satellite-based infrastructure
APT41	Winnti, Barium, Wicked Panda	Technology, gaming, healthcare, telecom	T1195.002 (Supply Chain), T1059.001 (PowerShell), T1078 (Valid Accounts), T1190 (Exploit Public Apps)	Dual espionage/financial motivation, supply chain
menuPass	APT10, Stone Panda	MSPs, technology, government	T1199 (Trusted Relationship), T1078 (Valid Accounts), T1005 (Data from Local System), T1048 (Exfil Alt Protocol)	MSP-based supply chain compromise

Sector-Specific Threat Modeling

Different sectors face different adversary profiles. Effective threat modeling for red team planning requires matching the emulated adversary to the target’s reality:

Financial Services: FIN7, Carbanak, Lazarus Group. Focus on payment card data, SWIFT transaction systems, and cryptocurrency infrastructure. Techniques emphasize credential access, lateral movement to payment processing systems, and data exfiltration.

Healthcare: Wizard Spider (Ryuk/Conti ransomware), APT41. Focus on ransomware impact, PHI data theft, and medical device compromise. Engagements should test ransomware resilience and data exfiltration controls.

Government and Defense: APT29, APT28, Turla. Focus on long-dwell-time operations, advanced C2, and intelligence collection. Engagements should emphasize stealth, persistence, and access to classified or sensitive information systems.

Energy and Critical Infrastructure: Sandworm, XENOTIME, KAMACITE. Focus on IT/OT convergence, safety system targeting, and operational disruption. Engagements require ICS ATT&CK mapping and strict safety controls.

Technology and SaaS: APT41, APT10, APT29. Focus on supply chain compromise, source code theft, and cloud infrastructure abuse. Engagements should include cloud-specific techniques and CI/CD pipeline attacks.

From Threat Profile to Operation Plan

The final step is converting a threat profile into an executable operation plan:

Select 15-30 techniques from the threat profile that are in-scope and achievable
Build technique chains: Group techniques into logical attack paths — initial access chain, privilege escalation chain, lateral movement chain, objective chain
Assign operator responsibilities: Map techniques to team members based on expertise
Create contingency techniques: For each primary technique, identify 1-2 fallback techniques in case the primary approach is blocked
Build the Navigator layer: Visualize the plan and share it with engagement leadership for approval
Define detection checkpoints: At key milestones, coordinate with the blue team (if purple) or note observations about detection for post-engagement analysis

Key Takeaways

ATT&CK provides the shared language between red teams, blue teams, threat intelligence, and leadership. Every red team operation should be planned, executed, and reported using ATT&CK technique IDs.
The 14 Enterprise tactics follow the attack lifecycle from Reconnaissance through Impact, but real operations are non-linear — adversaries loop back through Discovery, Credential Access, and Lateral Movement repeatedly.
Sub-techniques provide the granularity needed for accurate mapping. “Credential Dumping” (T1003) is too broad — specifying LSASS Memory (T1003.001) versus DCSync (T1003.006) communicates exactly what was done.
The ATT&CK Navigator is the essential tool for planning, visualizing, and communicating red team operations. Layer operations enable powerful gap analysis when combined with blue team detection layers.
Data sources reveal the telemetry that defenders use to detect techniques. Red teams who understand data sources can predict detection likelihood and choose evasion strategies accordingly.
ATT&CK Evaluations provide objective data about commercial security product capabilities against specific adversary behaviors. Red teams should study evaluation results for the products deployed in their target environments.
Threat-informed operations — building engagement plans from real APT group technique sets — produce more realistic and valuable red team engagements than generic penetration testing.

Overview

1. ATT&CK History and Purpose

The Fort Meade Experiment (2013)

Evolution and Scope

Three Matrices

Community-Driven Development

2. ATT&CK Structure: Tactics, Techniques, and Procedures

Tactics (The “Why”)

Techniques (The “How”)

Sub-Techniques (The “Specific How”)

Procedures (The “Instance”)

Technique Tree Example

3. The 14 Enterprise Tactics — Deep Dive

Complete Tactic Reference

TA0043 — Reconnaissance

TA0042 — Resource Development

TA0001 — Initial Access

TA0002 — Execution

TA0003 — Persistence

TA0004 — Privilege Escalation

TA0005 — Defense Evasion

TA0006 — Credential Access

TA0007 — Discovery

TA0008 — Lateral Movement

TA0009 — Collection

TA0011 — Command and Control

TA0010 — Exfiltration

TA0040 — Impact

4. ATT&CK Navigator

Core Capabilities

Creating a Threat Profile Layer

Example ATT&CK Navigator Layer JSON

Sharing with the Blue Team

5. Data Sources and Detections

Data Source Structure

Key Data Sources for Red Team Awareness

Detection Engineering Connection

6. ATT&CK Evaluations

Evaluation Rounds

How to Interpret Results

What Evaluations Mean for Red Teams

7. ICS ATT&CK Matrix

Key Differences from Enterprise ATT&CK

ICS-Specific Tactics

Red Team Relevance for Critical Infrastructure

8. Mapping Engagements to ATT&CK

Pre-Engagement Mapping

During the Operation — Building the ATT&CK Log

Post-Engagement Mapping

9. Building Threat Profiles

Using Cyber Threat Intelligence (CTI)

APT Groups Commonly Emulated

Sector-Specific Threat Modeling

From Threat Profile to Operation Plan

Key Takeaways

Further Reading