A more specific variant of an ATT&CK technique, identified by a decimal suffix.
MITRE ATT&CK techniques are identified by a T-prefixed integer (e.g., T1078 Valid Accounts). When the same technique has materially different platform or method variants, MITRE adds sub-techniques with a decimal suffix: T1078.001 Default Accounts, T1078.004 Cloud Accounts, T1078.002 Domain Accounts, T1078.003 Local Accounts.
Sub-techniques matter for coverage analysis: a SIEM rule that detects only Cloud Accounts abuse (T1078.004) does not cover Domain Accounts (T1078.002), even though both roll up to T1078.