Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
ATT&CK's Enterprise matrix maps the post-initial-access actions: Discovery, Privilege Escalation, Defense Evasion, Lateral Movement, Persistence, Exfiltration, Impact. Each technique has IDs, detections, and real-world examples. Mapping your EDR rules and audit logs to ATT&CK is how you measure detection coverage objectively.
A typical Linux post-exploitation chain in ATT&CK IDs: T1078 (Valid Accounts), T1059.004 (Unix Shell), T1003.008 (/etc/passwd dump), T1543.002 (systemd persistence), T1071 (C2 over HTTPS), T1567 (Exfil over Web).
Use these three in order. Each builds on the one before.
In one paragraph, explain how ATT&CK structures post-exploitation knowledge.
Walk me through using ATT&CK to score detection coverage.
What does ATT&CK miss as a framework, and what complements it?