Detection-Tactics.md

WORK IN PROGRESS

ATT&CK Abbreviations Used

Initial Access (IA), Execution (Exe), Persistence (P), Privilege Escalation (PE), Defense Evasion (DE), Credential Access (CA), Discovery (D), Lateral Movement (LM), Collection (C), Exfiltration (Exf), Command and Control (CC)

Detect | ATT&CK Tactics Cross Mapping

Detection Tactic	IA	Exe	P	PE	DE	CA	D	LM	C	Exf	CC
Account Creation	X		X	X	X
Account Logon	X	X	X	X	X			X
Account Modification	X	X	X	X	X	X
API Usage		X	X	X	X		X		X
Commandline Activity	X	X	X	X	X	X	X		X	X
Configuration Change			X		X	X	X			X
DLL Load		X	X	X	X		X			X
Domain Replication Request						X
Email Traffic	X	X			X
File Access	X	X	X	X	X	X		X	X	X
File Contents	X	X	X		X
File Creation	X	X	X	X	X			X		X
File Deletion	X		X	X	X			X
File Modification	X		X	X	X			X
File Rename		X	X	X	X			X
Firmware Modification			X		X
Log Clearing
MBR VBR Modification			X		X
Named Pipe Connection				X	X
Named Pipe Creation				X	X
Network Activity by Process		X				X	X	X		X	X
Network Activity by IP		X				X	X	X		X
Network File Carving										X
Network Port Opening			X	X				X
Network Full Packet Capture	X
Process Access
Process Execution		X	X	X	X	X	X	X	X	X
Process Hooking			X	X		X
Process Termination		X			X
Registry Entry Access						X	X
Registry Entry Creation		X	X	X	X		X
Registry Entry Deletion		X	X	X	X
Registry Entry Modification		X	X	X	X		X
Scheduled Task		X	X	X
Service Creation		X	X	X	X			X
Service Modification			X	X
SQL Command	X
Web Request	X
USB Device Attached	X
WMI Activity		X	X	X			X		X
DNS Request
DHCP Request

Resources

• SANS FOR508
• https://attack.mitre.org/
• https://threathunterplaybook.com/introduction.html
• https://www.elastic.co/guide/en/siem/guide/current/prebuilt-rules.html
• https://github.com/Neo23x0/sigma
• https://github.com/splunk/security_content/tree/develop/detections
• https://lolbas-project.github.io/
• https://docs.rapid7.com/insightidr/windows-suspicious-process/