Ambiguous Techniques: Determine Malice through Context

By Antonia Feffer • May 13, 2025

MITRE ATT&CK® describes the tactics and techniques that have been used by cyber adversaries. Some techniques, such as System Network Configuration Discovery (T1016), are used during campaigns but are not intrinsically malicious. An ambiguous technique is an ATT&CK technique whose observable characteristics are insufficient to determine intent. In such cases, observable data does not allow us to confidently ascertain whether the intent behind the activity is malicious or benign. These ambiguous techniques are not typically used by defenders to detect adversary behavior because they do not provide enough information on their own to determine malicious intent. Ambiguous techniques may also have multiple procedural implementations which are difficult to distinguish from benign user activity until after a forensic investigation has been completed.

Adversaries know this and use living-off-the-land (lotl) techniques for malicious outcomes. Identifying adversarial use of lotl techniques requires deliberate and conclusive detection methods to minimize false positives. In the end, detection engineers need to infer motive from security logs.

In partnership with Citigroup, Crowdstrike, Fujitsu, Fortinet, HCA Healthcare, Lloyds Banking Group, and The Microsoft Corporation, the Center for Threat-Informed Defense expanded Summiting the Pyramid to create Ambiguous Techniques, a methodology for determining the context required to discern between malicious and benign behavior while maintaining a robust detection that has high accuracy and is resistant to adversary evasion.

Context is King!

We classify three types of context that a defender can use to discern an actor’s intent: peripheral-level, chain-level, and technique-level. Each of these contexts adds information to the usage of a technique, which is necessary to determine intent.

Peripheral-level Context

Peripheral-level context includes external information that is most valuable for defending against potential attacks targeting your network. This is an “outside-looking-in” perspective.

We apply peripheral-level context to techniques associated with pre-compromise activities, such as those in the Reconnaissance tactic. As a result, the detections generated in this category are proactive in nature. Peripheral-level context derives from cyber threat intelligence on threats to your network, industry, or sector.

Chain-level Context

Chain-level context comes from observed co-occurring techniques - those that occur before, after, or concurrently with the specific technique of interest - in order to establish intent. We examined chain-level context techniques by leveraging data from our repository of Attack Flows and our Adversary Emulation Library.

Technique-level Context

Technique-level context identifies artifacts related to the detection of a single technique. To determine technique-level context, we break down the detection criteria into four categories: Who, What, When, and Where.

• Who: Authentication and privileges, examining who is operating within the network, the privileges they are using, and how they are attempting to access resources. It provides insight into user behavior and access patterns.
• What: Traditional event artifacts, such as flags, commands, specific registry keys, API calls, and other concrete artifacts that can be extracted from event codes or event IDs.
• When: Analyzes access patterns, including the frequency of activity and whether operations are occurring outside of typical or expected hours. It helps identify anomalies in the timing of activity that may indicate malicious intent.
• Where: Examines the key terrain within a network. This includes monitoring critical files, locations, or systems, as well as examining network connections. By establishing a baseline, organizations can detect abnormal connections or flows, such as new connections being initiated or unexpected destinations being accessed.

By organizing detection criteria into these categories, we provide a structured approach to developing detection analytics and identifying technique-level differentiators. This framework enables defenders to focus on key aspects of network activity - authentication, artifacts, timing, and terrain - while leveraging baseline data and behavioral analysis to detect anomalies and differentiate between benign and malicious behavior.

How to Use Context to Determine Intent

The above flowchart represents the progression of activities during an incident, and which type of context to use as a defender. The flow starts from the onset of the attack behavior and moves toward behavioral specifics. The legend at the bottom-left highlights the different contexts, with gray representing not enough information to make a determination. For a deeper dive of how to use the context flow charts, head on over to our project website.

Once we have determined which context to use, we combine analytics to improve the fidelity of our detections. We identified two distinct approaches when chaining analytics together: direct correlation and loose correlation. These methods are designed for different scenarios and are generally not interchangeable. Each serves a specific purpose depending on the level of certainty and the nature of the adversary’s actions.

• Direct Correlation: Use direct correlation to detect a specific campaign, adversary, or tool. The most effective direct correlation analytics involve actions that are dependent on one another. For example, an adversary performs an initial action, and a subsequent action relies on the success of the first. These dependent actions may originate from different data sources or occur in different parts of the network, but their interdependence is key to establishing a direct correlation. This method is straightforward, as the analytics are chained together in a sequence where all actions must occur for the correlation to be valid.
• Loose Correlation: Apply loose correlation when there is only a general idea of the adversary’s behavior, rather than precise knowledge of the specific actions they will take. A good example of this is discovery activity, which occurs frequently on networks and can be difficult to distinguish as either normal behavior or adversary activity. For instance, system information discovery may be observed across multiple systems, while remote file share discovery may occur on a different set of systems. Individually, these actions may appear benign, but when multiple techniques converge on a single system or user, they begin to form a pattern that suggests adversary activity.

While some implementations of analytic chaining attempt to enforce strict sequencing, we have found that complexity and cost of such implementations often outweigh the benefits. Thus, adoption of strictly sequences analytic chains is limited. Loose correlation allowing organizations to adapt thresholds and analytics to their specific environments while maintaining a balance between detection accuracy and operational feasibility.

It Is Your Turn to Detect the Malice in an Ambiguous Technique

The Ambiguous Techniques framework determines the intent behind a technique through context. It offers a way to develop analytics for these techniques, enhancing efficiency by reducing resource burden and increasing visibility. We have included several example analytics that demonstrate how to improve your current detections. Defenders can apply these insights by integrating our guidance into their own development processes, using the documentation to create robust detections.

Please take our work and adapt it and extend it, and contribute back to the AT knowledge base by identifying attack chains and refining technique observables.

Future Summiting detection engineering work will focus on how compound and layered detections can be used to build robust detections, as well as how we can effectively measure multi-faceted detection coverage.

Get Involved

Tell us how you are using our work! If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, email us at ctid@mitre.org

© 2025 MITRE. Approved for Public Release. Document number 25-1550.