Daniel Mathiot - danymat - My BlogHello WorldZola2026-04-23T00:00:00+00:00https://danymat.dev/blog/atom.xmlCreate your own TTPs2025-01-02T00:00:00+00:002026-04-23T00:00:00+00:00
Unknown
https://danymat.dev/blog/create-your-ttp/<p>When studying new cybersecurity content, it's essential to find effective ways to retain information and easily access it when needed.</p>
<p>To address this, I've created my "Personal TTP Framework" on <a rel="nofollow noreferrer external" href="https://obsidian.md/">Obsidian</a> during my preparation for the CPTS (Certified Penetration Tester Specialist) certification, establishing a layered structure similar to the <a rel="nofollow noreferrer external" href="https://attack.mitre.org%3E">MITRE ATT&CK framework</a>.</p>
<p>The information is categorized into different layers: Tactics, Techniques, and Procedures.</p>
<h2 id="1-tactics">1. Tactics<a class="zola-anchor" href="#1-tactics" aria-label="Anchor link for: 1-tactics" style="visibility: hidden;"></a>
</h2>
<p>Tactics refer to a set of general goals during an attack. Mine are primarily based on the <a rel="nofollow noreferrer external" href="https://attack.mitre.org/tactics/enterprise/">MITRE Enterprise tactics</a>, which include:</p>
<ul>
<li>Infrastructure Preparation</li>
<li>Discovery</li>
<li>Execution</li>
<li>Defense Evasion</li>
<li>Credential Access</li>
<li>Privilege Escalation</li>
<li>Lateral Movement</li>
<li>Collection</li>
<li>Exfiltration
These layers remain relevant today.</li>
</ul>
<h2 id="2-techniques">2. Techniques<a class="zola-anchor" href="#2-techniques" aria-label="Anchor link for: 2-techniques" style="visibility: hidden;"></a>
</h2>
<p>A technique is the "how" to achieve the related tactic. My techniques are ever expanding or re-grouped as I learn new material. Start by creating your first technique based on the content you are studying.</p>
<h2 id="3-procedures">3. Procedures<a class="zola-anchor" href="#3-procedures" aria-label="Anchor link for: 3-procedures" style="visibility: hidden;"></a>
</h2>
<p>Procedures are specific implementations of a related technique. The difference between Mitre framework and mine relies on the Procedures definition. On Mitre, here is what they say:</p>
<blockquote>
<p>"The two important aspects to note about procedures in ATT&CK are that it is how an adversary uses techniques and sub-techniques and that a procedure can span multiple techniques and sub-techniques."</p>
</blockquote>
<p>On my end, I create one procedure for each specific workflow needed to perform my technique. The common denominator between Mitre's framework and mine is that "Procedures may also include use of specific tools in how they’re performed".</p>
<p>I now use this TTP framework daily (on HTB boxes and during internal assessments), and as I continue learning in the field, I expand my personal framework accordingly.</p>