Loading AttackTrace...
Loading AttackTrace...
AttackTrace connects attacker behavior to network traffic, endpoint events, detection logic, investigation steps, and mitigation—in one operational reference.
Search by technique, ATT&CK ID, event ID, tool, or telemetry source.
Example trace
Execution
NTLM hash reused against a remote service
Network traffic
SMB / RPC authentication from an unusual source
Windows events
Network logon using NTLM with elevated privileges
Detection
Correlate lateral host hops and remote service creation
Investigation
Trace the credential source and complete lateral path
Mitigation
Rotate exposed credentials and remove admin reuse
MITRE tells you what
AttackTrace shows how it unfolds
Vendor docs explain a signal
AttackTrace connects the signals
Labs teach execution
AttackTrace teaches investigation
Search gives you fragments
AttackTrace gives you one trace
Technique library
An attacker reuses an NTLM password hash to authenticate to remote systems without knowing the plaintext password.
An attacker requests Kerberos service tickets for service accounts and cracks them offline to recover privileged credentials.
Attackers attempt to extract credentials from LSASS memory to obtain reusable secrets, tokens, and cleartext material.
The same attack, presented with the context each role needs—without flattening it into a beginner course.
Move from an alert to the right evidence, scope, and containment questions.
Map behaviors to observable telemetry and practical correlation logic.
Connect controlled execution to expected defensive visibility and validation.
Open the technique library and follow the evidence from execution through mitigation.