MITRE ATT&CK and CVE Correlation: Threat Hunting at the TTP Layer
Lead Summary
The weakness itself is not enough. Defenders need to know which attacker behavior the weakness enables.
Visual Direction
A hunting matrix connecting public CVEs to attacker techniques, detections, and likely follow-on activity.
Why IOC-Only Defense Keeps Aging Poorly
Indicators of compromise still matter, but they age quickly. Hashes rotate, infrastructure shifts, and malware families mutate. What endures is attacker behavior. That is precisely why MITRE ATT&CK mapping is operationally valuable: it lets defenders reason about what a vulnerability enables, not just which artifact last month's campaign left behind.
How the MITRE ATT&CK Matrix Is Structured
Before mapping CVEs to the framework, it helps to understand the three-level hierarchy:
| Level | Description | Example |
| --- | --- | --- |
| Tactic (TA####) | The adversary's tactical goal — the *why* | TA0001 Initial Access |
| Technique (T####) | The *how* — the method used to achieve the tactic | T1190 Exploit Public-Facing Application |
| Sub-technique (T####.###) | A more specific variant of the technique | T1059.001 PowerShell |
This hierarchy means a single CVE can map to one tactic but multiple techniques depending on how it is exploited. The mapping is not a lookup table — it requires analyst judgment about the likely exploitation path.
A CVE Is Not a Detection Strategy
Many programs store CVEs as inventory facts. Necessary, but operationally incomplete. A CVE becomes meaningful when it is connected to a tactic and technique. An internet-facing remote code execution flaw typically aligns with:
TA0001 Initial Access.
T1190 Exploit Public-Facing Application.
A local privilege escalation flaw often matters later in the intrusion chain under:
TA0004 Privilege Escalation.
TA0005 Defense Evasion.
That distinction matters because it changes what the SOC should be monitoring before and after exploitation actually occurs.
Concrete Mapping Example: CVE-2021-44228 (Log4Shell)
Given a specific CVE, here is how the ATT&CK mapping translates to detection priorities:
| ATT&CK Layer | Identifier | Description |
| --- | --- | --- |
| Tactic | TA0001 | Initial Access — attacker reaches internal execution via a log message |
| Technique | T1190 | Exploit Public-Facing Application |
| Sub-technique | — | No formal sub-technique; exploitation occurs via JNDI lookup in logging input |
| Follow-on Tactic | TA0002 | Execution — remote classfile loaded and executed |
| Follow-on Technique | T1059 | Command and Scripting Interpreter |
The detection opportunity is not at the CVE level — it is at the behavior level: unexpected outbound LDAP/DNS from Java processes, or child processes spawned by application servers. A team that only knows "Log4Shell exists" cannot write that detection rule. A team that knows the ATT&CK technique chain can.
Example: WinRAR and User Execution
When threat actors abused CVE-2023-38831 in WinRAR, the vulnerability was not merely a file parsing defect. It mapped directly to user execution and masquerading behavior. The operationally interesting part for a hunting team was not the CVE identifier in isolation, but the observable exploitation sequence:
delivery of a crafted, weaponized archive.
user interaction with a file that appeared harmless.
unexpected child process spawned from the archive handler.
follow-on persistence establishment or credential harvesting activity.
Detecting Behavior, Not Just a Product Name
For public-facing exploitation scenarios, analysts typically extract more detection value from post-exploitation process behavior than from banner matching or product-name signatures alone.
title: Suspicious Web Server Child Process
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
'\w3wp.exe'.
'\httpd.exe'.
'\nginx.exe'.
Image|endswith:
'\cmd.exe'.
'\powershell.exe'.
'\certutil.exe'.
condition: selection
level: highThis rule does not prove a specific CVE is being exploited, but it surfaces process behavior that is consistently characteristic of web application exploitation chains defenders actually care about.
MyVuln Perspective
MyVuln becomes significantly more useful when vulnerability inventory and ATT&CK mapping operate within the same workflow. That integration enables three concrete outcomes:
building virtual patching and compensating control logic grounded in likely TTPs.
tuning SIEM or EDR detections around the exploitation behaviors a given weakness enables.
explaining to operations leadership why an unpatched issue is dangerous in concrete behavioral terms, not abstract score terms.
MyVuln Research Team
Cybersecurity intelligence and vulnerability research.