Logo
TLCTC
ⓘ Example data in this tool is AI-generated based on real-world threat reports. Quality improves with evolving AI capabilities. These examples illustrate the practical application of the TLCTC framework.
All Clusters
All Tactics
All Platforms
0 Total Techniques
0 Mapped
0 Visible
Page 1 of 1

Loading database...

Summary

698
Total Techniques
222 parent + 476 sub-techniques
609
In-Scope (Mapped)
Mapped to TLCTC clusters
89
Out-of-Scope (N/A)
Resource Development & passive Reconnaissance / OSINT
100%
Mapping Coverage
All techniques have mapping arguments

Key Mapping Decisions Applied

Tactic Primary Cluster(s) Rationale
Reconnaissance #1, #9, mostly N/A Active scanning (#1) and phishing-for-info (#9) cross @Org boundary; OSINT stays N/A. Bucket split applied in Phase 1 of v2.1 revalidation.
Resource Development N/A @AttackerInfra (T1583/T1585/T1587/T1588/T1608/T1650) or @OtherVictims (T1584/T1586) — outside @Org threat scope.
Initial Access #2, #3 → #7, #4, #8 → #7, #9 → #7, #10 → #7 Boundary crossing into @Org. Cluster depends on entry vector: server flaw (#2), client flaw (#3 → #7), valid creds (#4), physical (#8), social engineering (#9), supply chain (#10).
Execution #1 → #7, #9 → #7, #3 → #7 LOLBAS pattern (#1 → #7) dominates. T1203 client exploit chains #3 → #7 per R-EXEC. T1204* user execution is #9 → #7.
Persistence #1 → #7, #1, #4 Autostart pattern (#1 → #7) dominates. Account/permission persistence is #1 (no FEC). T1078* uses valid accounts → #4.
Privilege Escalation #1 → #7, (#2 | #3) → #7, #1 → #4 Process injection (#1 → #7) with intra-system boundary |[process]|. T1611 container escape uses |[hypervisor]|. T1068/T1211 exploits chain → #7.
Defense Evasion #1, #1 → #7, #7 Designed admin abuse (#1) for impair/hide/clear. LOLBAS proxies (#1 → #7). FEC-feature framing (#7) for malware-internal evasion (T1497, T1622, T1480, polymorphism, etc.).
Credential Access #1 | #7, #1 → #4, #4 Acquisition maps to enabling cluster (#1 dump / #7 malware / #5 MitM). Application is always #4 per R-CRED / Axiom X. T1110* brute force = #4.
Discovery #1 Post-foothold enumeration via designed APIs. Single rule: Discovery = #1 (T1040 sniffing is the exception: #1 | #5).
Lateral Movement #4 → #1, #4, #1 → #7 Auth-then-abuse (#4 → #1) for T1021* remote services. T1550* alternate auth material is #4 per R-CRED. Plant-then-execute (#1 → #7) for T1072 deployment / T1080 shared content.
Collection #1, #4 → #1, #1 → #4 Direct read with existing access (#1) carries [DRE: C]. Auth-then-read (#4 → #1) for T1114 email / T1530 cloud storage. T1185 browser session hijack is #1 → #4.
Command and Control #7, #1, #1 | #7 FEC capabilities (#7) for malware-internal C2 logic. Third-party services as transit (#1 with ⇒) for T1102. Mixed (#1 | #7) for proxies and tunneling.
Exfiltration #1, #1 | #7 All carry [DRE: C]. Egress channel abuse (#1) or malware-driven (#7). Transit operator ⇒ for SaaS carriers (T1567* web services, T1537 cloud account).
Impact #7 + DRE, #1 + DRE, #6 + DRE DRE annotations distinguish data states: [DRE: Av] for wipers, [DRE: Ac] for ransomware (Axiom III), [DRE: I] for defacement/manipulation, [DRE: A] for service disruption.