docs/coverage.md · detection-as-code

31 lines · markdown

# ATT&CK Coverage
 
Every rule compiles to Splunk SPL, Elastic ES|QL, and Microsoft Sentinel KQL.
 
| Tactic | Technique | Rule | Platform | Level |
|--------|-----------|------|----------|-------|
| Initial Access | T1566 Phishing | Office spawns scripting host / LOLBin | Windows | high |
| Execution | T1059.001 PowerShell | PowerShell EncodedCommand | Windows | medium |
| Execution | T1059.004 Unix Shell | Reverse shell one-liner | Linux | high |
| Execution | T1047 / via parent | Office spawns scripting host / LOLBin | Windows | high |
| Persistence | T1543.003 Windows Service | New service installed | Windows | high |
| Persistence | T1053.005 Scheduled Task | Scheduled task created | Windows | medium |
| Persistence | T1543.002 Systemd Service | Systemd persistence | Linux | medium |
| Defense Evasion | T1218.011 Rundll32 | Suspicious rundll32 | Windows | high |
| Credential Access | T1003.001 LSASS Memory | Suspicious LSASS access | Windows | high |
| Credential Access | T1110 Brute Force | SSH brute force (correlation) | Linux | high |
 
## Telemetry assumptions
 
- **Windows process/file events:** Sysmon (config aligned to SwiftOnSecurity baseline) - the
  Sysmon processing pipeline maps fields on conversion.
- **Windows service/task events:** Security and System channels (4698, 7045) - Windows-audit
  pipeline.
- **Linux:** auth logs (sshd) and process/file telemetry (auditd or Sysmon-for-Linux).
 
## Coverage notes
 
This is a focused starter set covering the techniques that show up most in the alerts I
triage day to day - credential dumping, phishing-to-execution, persistence, and brute force.
It is deliberately small and high-signal rather than a dump of every public rule. New
detections are added after they're validated against Atomic Red Team in the purple-team lab.

1	# ATT&CK Coverage
2
3	Every rule compiles to Splunk SPL, Elastic ES\|QL, and Microsoft Sentinel KQL.
4
5	\| Tactic \| Technique \| Rule \| Platform \| Level \|
6	\|--------\|-----------\|------\|----------\|-------\|
7	\| Initial Access \| T1566 Phishing \| Office spawns scripting host / LOLBin \| Windows \| high \|
8	\| Execution \| T1059.001 PowerShell \| PowerShell EncodedCommand \| Windows \| medium \|
9	\| Execution \| T1059.004 Unix Shell \| Reverse shell one-liner \| Linux \| high \|
10	\| Execution \| T1047 / via parent \| Office spawns scripting host / LOLBin \| Windows \| high \|
11	\| Persistence \| T1543.003 Windows Service \| New service installed \| Windows \| high \|
12	\| Persistence \| T1053.005 Scheduled Task \| Scheduled task created \| Windows \| medium \|
13	\| Persistence \| T1543.002 Systemd Service \| Systemd persistence \| Linux \| medium \|
14	\| Defense Evasion \| T1218.011 Rundll32 \| Suspicious rundll32 \| Windows \| high \|
15	\| Credential Access \| T1003.001 LSASS Memory \| Suspicious LSASS access \| Windows \| high \|
16	\| Credential Access \| T1110 Brute Force \| SSH brute force (correlation) \| Linux \| high \|
17
18	## Telemetry assumptions
19
20	- Windows process/file events: Sysmon (config aligned to SwiftOnSecurity baseline) - the
21	Sysmon processing pipeline maps fields on conversion.
22	- Windows service/task events: Security and System channels (4698, 7045) - Windows-audit
23	pipeline.
24	- Linux: auth logs (sshd) and process/file telemetry (auditd or Sysmon-for-Linux).
25
26	## Coverage notes
27
28	This is a focused starter set covering the techniques that show up most in the alerts I
29	triage day to day - credential dumping, phishing-to-execution, persistence, and brute force.
30	It is deliberately small and high-signal rather than a dump of every public rule. New
31	detections are added after they're validated against Atomic Red Team in the purple-team lab.