MITRE ATT&CK Coverage Gap Analysis¶
Analysis Date: March 2026 | ATT&CK Version: Enterprise v14 | Nexus SecOps Coverage Baseline: 50 Chapters, 16 Sigma Rules, 48 Detection Queries, 15 YARA Rules, 50 Purple Team Exercises
Executive Summary¶
Nexus SecOps currently covers 97 unique ATT&CK techniques across the 14 Enterprise tactics, out of approximately 201 top-level techniques in MITRE ATT&CK Enterprise v14. This yields an overall technique coverage rate of approximately 48%.
Coverage is strongest in the Execution (TA0002), Credential Access (TA0006), Persistence (TA0003), and Impact (TA0040) tactics, where detection rules, hunt hypotheses, and lab exercises provide layered coverage. Coverage is weakest in Reconnaissance (TA0043), Resource Development (TA0042), Collection (TA0009), and Exfiltration (TA0010), where many techniques lack production detection rules.
How Coverage Is Measured
Coverage is assessed across five layers, each adding depth:
| Level | Description | Score |
|---|---|---|
| None | Technique not referenced in any content | 0 |
| Low | IOC/Sigma rule reference only | 1 |
| Medium | Production detection query (KQL/SPL) or chapter reference | 2 |
| High | Detection query + threat hunt hypothesis | 3 |
| Full | Detection + hunt + lab/simulation/purple team exercise | 4 |
Key Strengths
- Credential Access: 7/7 tracked techniques have detection rules; Kerberoasting, LSASS dump, password spray all have full lab + hunt coverage
- Impact: Ransomware kill chain fully mapped with Sigma, YARA, detection queries, and MicroSim
- Execution: PowerShell, WMI, LOLBAS, and scheduled tasks covered at all layers
- Purple Team: 50 exercises mapped 1:1 to ATT&CK techniques with red + blue procedures
Key Gaps
- Reconnaissance & Resource Development: Limited detection surface by nature, but several techniques (T1592, T1593, T1594, T1597) lack even theoretical coverage
- Defense Evasion: Only 8 of 42+ techniques covered; rootkits, trusted developer utilities, BITS Jobs missing
- Collection: No coverage for clipboard data (T1115), audio/video capture (T1123/T1125), or automated collection (T1119)
- Cloud-specific techniques: Container-specific techniques (T1610, T1611, T1613) referenced in Ch46 but lack detection rules
Coverage by Tactic¶
TA0043 — Reconnaissance¶
Coverage: 6 / 10 techniques (~60%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1595 | Active Scanning | Medium | Ch19, Heatmap | |
| T1596 | Search Open Technical Databases | Low | Ch19 | |
| T1590 | Gather Victim Network Information | Low | Ch19 | |
| T1598 | Phishing for Information | Medium | Ch25 | |
| T1589 | Gather Victim Identity Information | None (referenced) | Ch19 | |
| T1591 | Gather Victim Org Information | None (referenced) | Ch25 | |
| T1592 | Gather Victim Host Information | GAP | — | |
| T1593 | Search Open Websites/Domains | GAP | — | |
| T1594 | Search Victim-Owned Websites | GAP | — | |
| T1597 | Search Closed Sources | GAP | — |
Priority: Low. Reconnaissance techniques occur before the organization's detection boundary. Ch19 and Ch42 cover OSINT methodology. Remaining gaps are pre-attack techniques with minimal detection surface.
TA0042 — Resource Development¶
Coverage: 6 / 8 techniques (~75%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1583 | Acquire Infrastructure | Low | Ch07 | |
| T1584 | Compromise Infrastructure | Low | Ch07 | |
| T1586 | Compromise Accounts | Medium | Ch33 | |
| T1588 | Obtain Capabilities | Low | Ch18 | |
| T1585 | Establish Accounts | None (referenced) | Ch25 | |
| T1587 | Develop Capabilities | None (referenced) | Ch18 | |
| T1608 | Stage Capabilities | GAP | — | |
| T1650 | Acquire Access | GAP | — |
Priority: Low-Medium. Resource Development occurs in adversary infrastructure. T1608 (Stage Capabilities) is relevant for CTI teams analyzing phishing infrastructure. T1650 (Acquire Access via IABs) is highly relevant to the ransomware chapter and should be added to Ch23.
TA0001 — Initial Access¶
Coverage: 8 / 9 techniques (~89%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1566 | Phishing | Full | Ch25, Sigma-001, Detection-001, PT-001, PT-002 | |
| T1190 | Exploit Public-Facing Application | High | Ch29, Ch30, Detection, PT-008 | |
| T1133 | External Remote Services | High | Ch33, Sigma-002, PT-006 | |
| T1078 | Valid Accounts | High | Ch33, Detection-002/003, PT-005 | |
| T1195 | Supply Chain Compromise | Medium | Ch24, PT-007 | |
| T1189 | Drive-by Compromise | Medium | Ch30, Hunt Hypothesis, PT-003 | |
| T1200 | Hardware Additions | Medium | Ch34 | |
| T1091 | Replication Through Removable Media | Medium | Ch26 | |
| T1199 | Trusted Relationship | GAP (PT-004 only) | PT-004 references it, but no chapter or detection coverage |
Priority: Medium. T1199 (Trusted Relationship) is used by APT groups (Cloud Hopper) and MSP compromises. Recommend adding detection content to Ch24 or Ch33.
TA0002 — Execution¶
Coverage: 7 / 13 techniques (~54%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1059 | Command and Scripting Interpreter | Full | Ch05, Sigma-003, Detection, YARA, PT-009 | |
| T1053 | Scheduled Task/Job | Full | Ch05, Sigma-006, Detection, PT-013 | |
| T1047 | Windows Management Instrumentation | High | Sigma-004, Detection, PT-010 | |
| T1204 | User Execution | Medium | Ch25, PT-012 | |
| T1203 | Exploitation for Client Execution | Medium | Ch18, Ch30 | |
| T1106 | Native API | Medium | Ch18 | |
| T1072 | Software Deployment Tools | Low | Ch35 | |
| T1559 | Inter-Process Communication | Partial | PT-014 (DDE) only | |
| T1129 | Shared Modules | GAP | — | |
| T1569 | System Services | Partial | Detection for T1569.002 exists, no dedicated chapter section | |
| T1610 | Deploy Container | GAP (Ch46 reference) | Ch46 mentions but no detection | |
| T1609 | Container Administration Command | GAP (Ch46 reference) | Ch46 mentions but no detection | |
| T1651 | Cloud Administration Command | GAP | — |
Priority: Medium. Container execution techniques (T1609, T1610) are increasingly relevant as organizations adopt Kubernetes. T1559 (IPC/DDE) has a purple team exercise but needs detection rules. T1651 (Cloud Admin Command, e.g., AWS SSM RunCommand) is a growing attack vector.
TA0003 — Persistence¶
Coverage: 7 / 19 techniques (~37%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1547 | Boot or Logon Autostart Execution | High | Sigma-007, Detection, PT-015, PT-017 | |
| T1543 | Create or Modify System Process | High | Detection, PT-016 | |
| T1546 | Event Triggered Execution | Medium | Ch05, PT-020 | |
| T1136 | Create Account | High | Ch33, Detection, PT-019 | |
| T1078 | Valid Accounts | High | Ch33, Detection, PT-005 | |
| T1505 | Server Software Component | Medium | Ch30 | |
| T1133 | External Remote Services | High | Ch33, Sigma-002 | |
| T1176 | Browser Extensions | Partial | PT-018 only | |
| T1098 | Account Manipulation | Partial | Ch46 references T1098.001 | |
| T1574 | Hijack Execution Flow | Partial | Detection for DLL hijacking, PT-023 | |
| T1556 | Modify Authentication Process | GAP | — | |
| T1542 | Pre-OS Boot | Partial | Hunt hypothesis for bootkit | |
| T1037 | Boot or Logon Initialization Scripts | GAP | — | |
| T1554 | Compromise Client Software Binary | GAP | — | |
| T1525 | Implant Internal Image | Partial | Detection query exists | |
| T1205 | Traffic Signaling | GAP | — | |
| T1137 | Office Application Startup | GAP | — | |
| T1053 | Scheduled Task/Job | Full (duplicate with TA0002) | Sigma-006, Detection, PT-013 | |
| T1197 | BITS Jobs | GAP | — |
Priority: High. T1556 (Modify Authentication Process) covers Skeleton Key, SSP injection, and hybrid identity attacks — critical for AD and cloud environments. T1197 (BITS Jobs) is a common persistence and download mechanism. T1037 (Logon Scripts) is frequently abused in AD environments.
Recommendation: Add T1556 content to Ch33 or Ch45. Add T1197 (BITS Jobs) detection to Ch05 and Sigma Rule Library.
TA0004 — Privilege Escalation¶
Coverage: 5 / 13 techniques (~38%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1055 | Process Injection | Full | Ch18, YARA, Sigma, PT-030 | |
| T1548 | Abuse Elevation Control Mechanism | High | Ch05, PT-022, PT-024 | |
| T1134 | Access Token Manipulation | Medium | Ch18, Detection, PT-021, PT-027 | |
| T1068 | Exploitation for Privilege Escalation | Medium | Ch29, PT-026 | |
| T1484 | Domain Policy Modification | Medium | Ch33, PT-025 | |
| T1611 | Escape to Host | GAP (Ch46 reference) | Ch46 conceptual only | |
| T1078 | Valid Accounts | High (shared with TA0001) | Already covered | |
| T1547 | Boot or Logon Autostart | High (shared with TA0003) | Already covered | |
| T1546 | Event Triggered Execution | Medium (shared with TA0003) | Already covered | |
| T1574 | Hijack Execution Flow | Partial | Detection for DLL hijacking exists | |
| T1543 | Create or Modify System Process | High (shared with TA0003) | Already covered | |
| T1053 | Scheduled Task/Job | Full (shared with TA0002) | Already covered | |
| T1098 | Account Manipulation | Partial | Cloud credentials only |
Priority: Medium. T1611 (Escape to Host / container escape) is the most critical gap — container escapes are a top cloud security concern. Recommend adding detection content for container escape indicators (e.g., nsenter, chroot, /proc/1/root access) to Ch46 and detection query library.
TA0005 — Defense Evasion¶
Coverage: 8 / 42 techniques (~19%)
This is the largest tactic in ATT&CK and has the lowest coverage percentage. Defense Evasion contains 42 top-level techniques; Nexus SecOps covers only 8.
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1055 | Process Injection | Full | Ch18, YARA, PT-030 | |
| T1027 | Obfuscated Files or Information | High | Ch05, YARA, PT-034 | |
| T1562 | Impair Defenses | High | Sigma-012, Detection, PT-033 | |
| T1070 | Indicator Removal | High | Sigma-011, Detection, PT-028, PT-029, PT-032 | |
| T1036 | Masquerading | High | Ch18, Sigma, PT-031 | |
| T1218 | System Binary Proxy Execution | Full | Sigma-005, Detection, Ch05 | |
| T1497 | Virtualization/Sandbox Evasion | Medium | Ch18 | |
| T1140 | Deobfuscate/Decode Files | Medium | YARA, Ch18 | |
| T1222 | File and Directory Permissions Mod | Partial | Ch45 reference only | |
| T1574 | Hijack Execution Flow | Partial | Detection for DLL hijacking, PT-023 | |
| T1112 | Modify Registry | GAP | — | |
| T1564 | Hide Artifacts | GAP | — | |
| T1202 | Indirect Command Execution | GAP | — | |
| T1006 | Direct Volume Access | GAP | — | |
| T1480 | Execution Guardrails | GAP | — | |
| T1553 | Subvert Trust Controls | GAP | — | |
| T1197 | BITS Jobs | GAP | — | |
| T1207 | Rogue Domain Controller | GAP | — | |
| T1556 | Modify Authentication Process | GAP | — | |
| T1600 | Weaken Encryption | GAP | — | |
| T1578 | Modify Cloud Compute Infrastructure | GAP | — | |
| T1550 | Use Alternate Authentication Material | High (shared with TA0008) | — | |
| T1220 | XSL Script Processing | GAP | — | |
| T1216 | System Script Proxy Execution | GAP | — | |
| T1221 | Template Injection | GAP | — | |
| T1014 | Rootkit | GAP | — | |
| T1127 | Trusted Developer Utilities | GAP | — | |
| T1535 | Unused/Unsupported Cloud Regions | GAP | — | |
| T1601 | Modify System Image | GAP | — | |
| T1599 | Network Boundary Bridging | GAP | — | |
| T1205 | Traffic Signaling | GAP | — |
Priority: HIGH. Defense Evasion is the largest tactic and represents the most significant coverage gap. Top priorities:
- T1112 (Modify Registry) — foundational Windows persistence/evasion, pairs with existing registry monitoring
- T1564 (Hide Artifacts) — hidden files, hidden windows, NTFS ADS, hidden users
- T1553 (Subvert Trust Controls) — code signing abuse, SIP/Trust Provider hijacking
- T1207 (Rogue Domain Controller / DCShadow) — critical AD attack, complements Ch45
- T1578 (Modify Cloud Compute Infrastructure) — snapshot, image, and instance modification for evasion
TA0006 — Credential Access¶
Coverage: 7 / 17 techniques (~41%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1003 | OS Credential Dumping | Full | Sigma-009, Detection, YARA, Lab, PT-035 | |
| T1558 | Steal or Forge Kerberos Tickets | Full | Sigma-008, Detection, Lab, PT-036 | |
| T1110 | Brute Force | Full | Sigma-010, Detection, PT-037 | |
| T1555 | Credentials from Password Stores | High | Detection, YARA, PT-038 | |
| T1056 | Input Capture | High | YARA, Ch26 | |
| T1557 | Adversary-in-the-Middle | Medium | Ch31, Detection | |
| T1606 | Forge Web Credentials | Medium | Ch33 | |
| T1552 | Unsecured Credentials | Partial | PT-039, Ch46 (T1552.005 IMDS) | |
| T1649 | Steal or Forge Authentication Certificates | Partial | Ch45 ATT&CK table reference | |
| T1528 | Steal Application Access Token | GAP | — | |
| T1539 | Steal Web Session Cookie | GAP | — | |
| T1621 | Multi-Factor Authentication Request Generation | GAP | — | |
| T1556 | Modify Authentication Process | GAP | — | |
| T1111 | Multi-Factor Authentication Interception | GAP | — | |
| T1187 | Forced Authentication | GAP | — | |
| T1212 | Exploitation for Credential Access | GAP | — | |
| T1040 | Network Sniffing | GAP | — |
Priority: High. T1621 (MFA Fatigue/Bombing) is a critical modern technique used in Uber, Cisco, and Microsoft breaches. T1539 (Steal Web Session Cookie) is increasingly used in AiTM phishing attacks. T1649 (ADCS abuse) is referenced in Ch45 but needs dedicated detection content.
Recommendation: Add T1621 (MFA Fatigue) content to Ch33. Add T1539 and T1528 to Ch33 or a new identity attack detection section.
TA0007 — Discovery¶
Coverage: 7 / 31 techniques (~23%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1087 | Account Discovery | High | Ch33, Detection, Ch45 | |
| T1082 | System Information Discovery | High | Ch05 | |
| T1046 | Network Service Discovery | High | Ch31, Ch43 | |
| T1135 | Network Share Discovery | High | Ch38 | |
| T1018 | Remote System Discovery | High | Ch31, Ch43 | |
| T1083 | File and Directory Discovery | Medium | Ch05 | |
| T1069 | Permission Groups Discovery | Medium | Ch33, Ch45 | |
| T1580 | Cloud Infrastructure Discovery | Partial | Detection query exists, Ch46 | |
| T1613 | Container and Resource Discovery | GAP (Ch46 reference) | — | |
| T1016 | System Network Configuration Discovery | GAP | — | |
| T1049 | System Network Connections Discovery | GAP | — | |
| T1057 | Process Discovery | GAP | — | |
| T1010 | Application Window Discovery | GAP | — | |
| T1033 | System Owner/User Discovery | GAP | — | |
| T1007 | System Service Discovery | GAP | — | |
| T1012 | Query Registry | GAP | — | |
| T1518 | Software Discovery | GAP | — | |
| T1124 | System Time Discovery | GAP | — | |
| T1201 | Password Policy Discovery | GAP | — | |
| T1120 | Peripheral Device Discovery | GAP | — | |
| T1538 | Cloud Service Dashboard | GAP | — | |
| T1526 | Cloud Service Discovery | GAP | — | |
| T1619 | Cloud Storage Object Discovery | GAP | — | |
| T1622 | Debugger Evasion | GAP | — |
Priority: Medium. Many Discovery techniques are high-volume/low-fidelity (process listing, registry queries). Prioritize T1016 (System Network Configuration) and T1049 (Network Connections) as these are commonly seen in early-stage post-exploitation and can be correlated with other suspicious activity. Cloud discovery gaps (T1526, T1619) should be addressed in Ch46.
TA0008 — Lateral Movement¶
Coverage: 5 / 9 techniques (~56%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1021 | Remote Services | Full | Sigma-013/014, Detection, PT-040, PT-041 | |
| T1550 | Use Alternate Authentication Material | High | Ch38, PT-044 | |
| T1570 | Lateral Tool Transfer | Medium | Ch31, PT-043 | |
| T1210 | Exploitation of Remote Services | Medium | Ch29 | |
| T1080 | Taint Shared Content | Low | Ch26 | |
| T1563 | Remote Service Session Hijacking | Partial | PT-042 only | |
| T1534 | Internal Spearphishing | GAP | — | |
| T1072 | Software Deployment Tools | Low (shared with TA0002) | — | |
| T1091 | Replication Through Removable Media | Medium (shared with TA0001) | — |
Priority: Medium. T1534 (Internal Spearphishing) is used by sophisticated actors post-compromise to move laterally via email within the organization. T1563 (Session Hijacking) has a purple team exercise but needs detection rules for RDP hijacking indicators.
TA0009 — Collection¶
Coverage: 6 / 17 techniques (~35%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1005 | Data from Local System | Medium | Ch26 | |
| T1039 | Data from Network Shared Drive | Medium | Ch26 | |
| T1074 | Data Staged | Medium | Ch26, Detection | |
| T1213 | Data from Information Repositories | Medium | Ch26 | |
| T1056 | Input Capture | High | YARA, Ch26 | |
| T1114 | Email Collection | Medium | Detection (email forwarding rule) | |
| T1113 | Screen Capture | Partial | Detection query exists | |
| T1115 | Clipboard Data | GAP | — | |
| T1119 | Automated Collection | GAP | — | |
| T1123 | Audio Capture | GAP | — | |
| T1125 | Video Capture | GAP | — | |
| T1185 | Browser Session Hijacking | GAP | — | |
| T1530 | Data from Cloud Storage Object | Partial | Detection query exists | |
| T1557 | Adversary-in-the-Middle | Medium (shared with TA0006) | — | |
| T1602 | Data from Configuration Repository | GAP | — | |
| T1560 | Archive Collected Data | GAP | — | |
| T1025 | Data from Removable Media | GAP | — |
Priority: Medium. T1560 (Archive Collected Data) is a near-universal pre-exfiltration step (rar, 7z, zip of staged data) and is highly detectable. T1115 (Clipboard Data) is used by info stealers. T1185 (Browser Session Hijacking) is relevant to modern AiTM attacks.
Recommendation: Add T1560 detection (archive creation in unusual directories) to Detection Query Library. Add T1115 and T1185 content to Ch26 or Ch33.
TA0010 — Exfiltration¶
Coverage: 5 / 9 techniques (~56%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1041 | Exfiltration Over C2 Channel | High | Ch38, PT-045 | |
| T1048 | Exfiltration Over Alternative Protocol | High | Detection, PT-046 | |
| T1567 | Exfiltration Over Web Service | High | Detection, PT-047 | |
| T1029 | Scheduled Transfer | Medium | Ch38 | |
| T1537 | Transfer Data to Cloud Account | Medium | Ch20 | |
| T1052 | Exfiltration Over Physical Medium | Partial | Detection queries exist, PT-050 | |
| T1020 | Automated Exfiltration | Partial | PT-048 only | |
| T1030 | Data Transfer Size Limits | Partial | PT-049 only | |
| T1011 | Exfiltration Over Other Network Medium | Partial | PT-050 (Bluetooth) only |
Priority: Low-Medium. Most critical exfiltration vectors (C2, DNS, cloud) are well covered. Physical medium and automated exfiltration have purple team exercises but lack production detection rules.
TA0011 — Command and Control¶
Coverage: 6 / 16 techniques (~38%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1071 | Application Layer Protocol | Full | Detection, Ch38, Lab | |
| T1572 | Protocol Tunneling | High | Detection, Ch38 | |
| T1095 | Non-Application Layer Protocol | Medium | Detection, Ch31 | |
| T1090 | Proxy | Medium | Ch38 | |
| T1102 | Web Service | Medium | Ch07, Ch38 | |
| T1573 | Encrypted Channel | Medium | Ch32, Ch38 | |
| T1105 | Ingress Tool Transfer | Partial | YARA reference, LOLBAS detection covers this implicitly | |
| T1132 | Data Encoding | GAP | — | |
| T1001 | Data Obfuscation | GAP | — | |
| T1568 | Dynamic Resolution | GAP | — | |
| T1008 | Fallback Channels | GAP | — | |
| T1104 | Multi-Stage Channels | GAP | — | |
| T1219 | Remote Access Software | Partial | YARA rule exists | |
| T1205 | Traffic Signaling | GAP | — | |
| T1571 | Non-Standard Port | GAP | — | |
| T1659 | Content Injection | GAP | — |
Priority: Medium. T1105 (Ingress Tool Transfer) is extremely common — nearly every intrusion involves downloading tools. T1568 (Dynamic Resolution / DGA) is critical for botnet and advanced malware detection. T1219 (Remote Access Software like AnyDesk, TeamViewer) is increasingly abused by ransomware operators and has a YARA rule but needs detection queries.
Recommendation: Add T1568 (DGA detection) and T1219 (unauthorized remote access tools) to Detection Query Library. Add T1105 as a standalone detection (large downloads from suspicious sources).
TA0040 — Impact¶
Coverage: 6 / 14 techniques (~43%)
| Status | Technique ID | Technique Name | Coverage Level | Covered By |
|---|---|---|---|---|
| T1486 | Data Encrypted for Impact | Full | Sigma-016, YARA, Detection, MicroSim, Ch23 | |
| T1490 | Inhibit System Recovery | Full | Sigma-015, YARA, Detection, Ch23 | |
| T1485 | Data Destruction | High | YARA, Ch23 | |
| T1561 | Disk Wipe | High | YARA, Detection, Ch23 | |
| T1491 | Defacement | Medium | Ch30 | |
| T1498 | Network Denial of Service | Medium | Ch31 | |
| T1499 | Endpoint Denial of Service | GAP | — | |
| T1496 | Resource Hijacking | GAP | — | |
| T1565 | Data Manipulation | GAP | — | |
| T1531 | Account Access Removal | GAP | — | |
| T1489 | Service Stop | GAP | — | |
| T1529 | System Shutdown/Reboot | GAP | — | |
| T1495 | Firmware Corruption | GAP | — | |
| T1657 | Financial Theft | GAP | — |
Priority: Medium-High. T1496 (Resource Hijacking / cryptojacking) already has an IR playbook at Cryptojacking Playbook but lacks detection rules. T1489 (Service Stop) is a ransomware precursor (stopping databases, security tools before encryption). T1531 (Account Access Removal) is common in destructive attacks. T1565 (Data Manipulation / integrity attacks) is increasingly relevant for financial and healthcare sectors.
Top 20 Missing Techniques¶
The following 20 techniques represent the highest-priority coverage gaps, ranked by real-world prevalence, relevance to the Nexus SecOps audience, and feasibility of adding content.
| Rank | Technique ID | Technique Name | Tactic | Why Critical | Recommended Chapter |
|---|---|---|---|---|---|
| 1 | T1621 | MFA Request Generation | Credential Access | Used in Uber, Cisco, Microsoft breaches; MFA fatigue is a top 2024-2025 vector | Ch33 |
| 2 | T1219 | Remote Access Software | C2 | AnyDesk, TeamViewer, ConnectWise abused in 70%+ ransomware incidents | Ch38 |
| 3 | T1105 | Ingress Tool Transfer | C2 | Present in virtually every intrusion; certutil/curl/wget/PowerShell downloads | Ch05 |
| 4 | T1489 | Service Stop | Impact | Pre-encryption step in ransomware (stop SQL, Exchange, backup services) | Ch23 |
| 5 | T1556 | Modify Authentication Process | Persistence, Defense Evasion | Skeleton Key, SSP injection, hybrid identity compromise | Ch45 |
| 6 | T1568 | Dynamic Resolution | C2 | DGA detection is foundational for botnet/malware hunting | Ch38 |
| 7 | T1560 | Archive Collected Data | Collection | Near-universal pre-exfiltration step (rar/7z staging) | Ch26 |
| 8 | T1539 | Steal Web Session Cookie | Credential Access | AiTM phishing and session hijacking; Evilginx-style attacks | Ch33 |
| 9 | T1496 | Resource Hijacking | Impact | Cryptojacking — playbook exists but no detection rules | Ch20 |
| 10 | T1197 | BITS Jobs | Persistence, Defense Evasion | Common download/persistence mechanism, used by APT groups | Ch05 |
| 11 | T1611 | Escape to Host | Privilege Escalation | Container escapes are top cloud security concern | Ch46 |
| 12 | T1112 | Modify Registry | Defense Evasion | Foundational Windows technique, pairs with existing registry monitoring | Ch05 |
| 13 | T1564 | Hide Artifacts | Defense Evasion | Hidden files, NTFS ADS, hidden windows — common in malware | Ch18 |
| 14 | T1207 | Rogue Domain Controller | Defense Evasion | DCShadow — critical AD attack, complements Ch45 | Ch45 |
| 15 | T1531 | Account Access Removal | Impact | Locking out defenders during destructive attacks | Ch28 |
| 16 | T1553 | Subvert Trust Controls | Defense Evasion | Code signing abuse, SIP hijacking, Mark-of-the-Web bypass | Ch18 |
| 17 | T1534 | Internal Spearphishing | Lateral Movement | Post-compromise lateral phishing from trusted mailbox | Ch25 |
| 18 | T1199 | Trusted Relationship | Initial Access | MSP/vendor compromise (Cloud Hopper, Kaseya) | Ch24 |
| 19 | T1528 | Steal Application Access Token | Credential Access | OAuth token theft, consent phishing, app impersonation | Ch33 |
| 20 | T1651 | Cloud Administration Command | Execution | AWS SSM RunCommand, Azure RunCommand for remote execution | Ch46 |
Recommendations¶
Immediate Actions (Next 1-2 Sessions)¶
Quick Wins
- Add T1621 (MFA Fatigue) detection to Detection Query Library and Sigma Rule Library — monitor for >5 MFA push requests within 10 minutes per user
- Add T1219 (Remote Access Tools) detection — query for unauthorized AnyDesk, TeamViewer, ConnectWise, Splashtop, Atera, ScreenConnect processes
- Add T1489 (Service Stop) detection — monitor for bulk service stop commands targeting SQL, Exchange, backup, and security services (ransomware precursor)
- Add T1560 (Archive Collected Data) detection — detect rar.exe, 7z.exe, zip creating archives in temp/staging directories
- Add T1197 (BITS Jobs) Sigma rule — detect bitsadmin transfers and PowerShell Start-BitsTransfer for persistence
Medium-Term Actions (Next 3-5 Sessions)¶
Content Expansion
- Expand Ch33 with modern identity attack techniques: MFA fatigue (T1621), AiTM session hijacking (T1539), OAuth consent phishing (T1528), and token theft
- Expand Ch45 with DCShadow (T1207), Skeleton Key (T1556), and golden/silver certificate attacks (T1649 expanded)
- Create container security detection section in Ch46 covering T1610, T1611, T1609, T1613 with Kubernetes audit log queries
- Add Defense Evasion chapter section or expand Ch18 to cover hidden artifacts (T1564), MOTW bypass (T1553), and indirect command execution (T1202)
- Add 5 new purple team exercises for the top-5 gaps: PT-051 (MFA Fatigue), PT-052 (Remote Access Tool Abuse), PT-053 (Service Stop Pre-Ransomware), PT-054 (Container Escape), PT-055 (DCShadow)
Long-Term Vision¶
Full ATT&CK Coverage Roadmap
- Target: 75% technique coverage (150/201 techniques) by end of 2026
- Strategy: Prioritize techniques by MITRE's "Top Techniques" list, Red Canary Threat Detection Report, and Mandiant M-Trends annual report
- Metrics: Track coverage delta after each content session using the ATT&CK Coverage Heatmap
- Integration: Link every new detection rule to the corresponding heatmap entry, ensuring the heatmap stays current
Coverage Heatmap Summary Table¶
| Tactic | ID | Techniques Covered | Total Techniques | Coverage % | Priority |
|---|---|---|---|---|---|
| Reconnaissance | TA0043 | 6 | 10 | 60% | Low |
| Resource Development | TA0042 | 6 | 8 | 75% | Low |
| Initial Access | TA0001 | 8 | 9 | 89% | Low |
| Execution | TA0002 | 7 | 13 | 54% | Medium |
| Persistence | TA0003 | 7 | 19 | 37% | High |
| Privilege Escalation | TA0004 | 5 | 13 | 38% | Medium |
| Defense Evasion | TA0005 | 8 | 42 | 19% | Critical |
| Credential Access | TA0006 | 7 | 17 | 41% | High |
| Discovery | TA0007 | 7 | 31 | 23% | Medium |
| Lateral Movement | TA0008 | 5 | 9 | 56% | Medium |
| Collection | TA0009 | 6 | 17 | 35% | Medium |
| Exfiltration | TA0010 | 5 | 9 | 56% | Low |
| Command and Control | TA0011 | 6 | 16 | 38% | Medium |
| Impact | TA0040 | 6 | 14 | 43% | Medium |
| TOTAL | ~97 | ~201 | ~48% |
Interpretation Notes
- Several techniques appear under multiple tactics (e.g., T1078 Valid Accounts appears under Initial Access, Persistence, Privilege Escalation, and Defense Evasion). The unique technique count avoids double-counting.
- "Covered" means any coverage level above None — even a chapter reference counts. The heatmap distinguishes between Low, Medium, High, and Full coverage.
- Discovery (TA0007) has low percentage coverage because it contains many benign-seeming techniques (process listing, registry queries) that are difficult to alert on without behavioral baselining.
- Defense Evasion (TA0005) has the lowest percentage because it is the largest tactic with 42 techniques, many of which are niche or platform-specific.
Related Resources¶
- ATT&CK Coverage Heatmap — Interactive visual coverage map
- Detection Query Library — Production KQL and SPL queries
- Sigma Rule Library — SIEM-agnostic detection rules
- YARA Rule Library — File and memory scanning rules
- Threat Hunt Hypotheses — Hypothesis-driven hunting library
- Purple Team Exercise Library — 50 adversary emulation exercises
- ATT&CK Cheat Sheet — Quick reference for ATT&CK framework
97 techniques covered across 14 tactics | 104 techniques identified as gaps | Analysis based on ATT&CK Enterprise v14 | Last updated: March 2026