Detection Engineering

MITRE ATT&CK alignment, Sigma rules, and detection coverage analysis

91.2%

Coverage Score

156

Techniques Covered

Detection Gaps

245

Total Techniques

Kill Chain Coverage

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Actions

MITRE ATT&CK Matrix

Initial Access

T1566 Phishing

T1190 Exploit Public-Facing App

T1078 Valid Accounts

T1133 External Remote Services

Execution

T1059.001 PowerShell

T1059.003 Windows Cmd Shell

T1204 User Execution

T1047 WMI

Persistence

T1547.001 Registry Run Keys

T1053.005 Scheduled Task

T1505.003 Web Shell

T1136 Create Account

Defense Evasion

T1027 Obfuscated Files

T1036 Masquerading

T1562 Impair Defenses

T1218 Signed Binary Proxy

Credential Access

T1003 OS Credential Dumping

T1110 Brute Force

T1558 Kerberos Tickets

Lateral Movement

T1021.001 Remote Desktop

T1021.002 SMB/Admin Shares

T1570 Lateral Tool Transfer

Auto-Generated Sigma Rule

title: "IOC Detection: C2 IP 185.220.101.42"
id: cyntel-ioc-185-220-101-42
status: experimental
description: "Detects network connection to known Cobalt Strike C2"
logsource:
    category: firewall
detection:
    selection:
        dst_ip|contains: '185.220.101.42'
    condition: selection
level: high
tags:
    - attack.command_and_control
    - attack.t1071.001
falsepositives:
    - Legitimate traffic to this IP range

Sigma YAMLSplunk SPLElastic EQLMicrosoft KQL

Top Detection Gaps

T1003.006OS Credential Dumping: DCSync5 actors

T1047Windows Management Instrumentation4 actors

T1484.001Group Policy Modification3 actors

T1611Escape to Host2 actors

T1525Implant Internal Image2 actors