Complete MITRE ATT&CK Detection Coverage: 704 KQL and SPL Queries

Most security teams know they should be building detections mapped to MITRE ATT&CK. Fewer have actually done it at scale. Writing a single production-quality detection rule — with proper KQL or SPL queries, false positive documentation, severity tuning, and response playbooks — takes hours of research and testing. Multiply that by the 200+ techniques in the ATT&CK framework, and you’re looking at a multi-year effort for even a well-staffed detection engineering team.

That’s why we built df00tech. Our library contains 704 production-ready detection rules covering MITRE ATT&CK techniques and sub-techniques, each with both KQL (Microsoft Sentinel / Defender for Endpoint) and SPL (Splunk) queries ready to deploy.

Why Detection Coverage Matters

The MITRE ATT&CK framework documents how adversaries actually operate — from initial access through exfiltration. Each technique represents a real capability used by threat actors in the wild. The problem is that most organizations have significant gaps in their detection coverage.

According to multiple red team reports, the average enterprise SOC detects fewer than 30% of ATT&CK techniques used against them. That means 70% of adversary behavior goes undetected. The gap isn’t a tooling problem — most teams have Sentinel or Splunk deployed. It’s a detection content problem.

Every technique without a detection rule is a blind spot an attacker can exploit. And attackers know this. Techniques like T1105 — Ingress Tool Transfer and T1003.001 — LSASS Memory are used by virtually every sophisticated threat actor because they work, and because many organizations lack specific detections for them.

How df00tech Detections Are Structured

Each detection in our library is purpose-built for production deployment. Here’s what you get for every technique:

Free tier (every detection):

KQL query for Microsoft Sentinel / Defender for Endpoint with required tables, data sources, and false positive documentation
SPL query for Splunk with required sourcetypes and equivalent coverage
Severity and confidence ratings based on real-world signal-to-noise analysis
MITRE ATT&CK mapping with tactic and technique identifiers

Pro tier (paid):

Response playbooks with triage steps, containment actions, evidence collection checklists, and escalation criteria
Investigation guides with forensic artifacts and analysis procedures
Atomic Red Team tests for validating detection efficacy
Tuning guidance for reducing false positives in your environment

Real Detection Examples

Let’s look at two detections from the library to show what production-quality looks like.

Credential Dumping: LSASS Memory (T1003.001)

LSASS credential dumping is one of the most critical techniques to detect. Every major threat actor — from APT groups to ransomware operators — dumps LSASS memory to harvest credentials for lateral movement. Our T1003.001 detection uses a three-branch approach in KQL:

let SuspiciousLsassAccess = DeviceEvents
| where ActionType == "ProcessAccessed"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "csrss.exe", "services.exe", ...
  )
| where InitiatingProcessGrantedAccessMask in (
    "0x1fffff", "0x1f3fff", "0x143a", "0x1410"
  );

This first branch catches Mimikatz-style injection by monitoring which processes open handles to LSASS with high-privilege access masks. The detection then unions two additional branches: one for comsvcs.dll MiniDump via rundll32 (a favourite LOLBin approach), and another for ProcDump targeting LSASS. Three vectors, one detection — covering the major credential dumping tradecraft.

Password Spraying (T1110.003)

Password spraying is a go-to technique for APT28, APT29, HAFNIUM, and others targeting cloud environments. Our T1110.003 detection covers both Azure AD / Entra ID and on-premises Active Directory:

let AzureADSpray = SigninLogs
| where ResultType in ("50126", "50053", "50057", ...)
| summarize
    DistinctAccounts = dcount(UserPrincipalName),
    FailureCount = count()
  by IPAddress, bin(TimeGenerated, 30m)
| where DistinctAccounts >= 10
| where AvgFailuresPerAccount <= 5;

The key heuristic: spraying hits many accounts with few attempts each (to avoid lockout), while brute force concentrates on fewer accounts. The detection uses AvgFailuresPerAccount <= 5 to distinguish the two patterns — a detail that many generic “failed login” alerts miss entirely.

Coverage Across the Kill Chain

Our 704 detections span all 14 MITRE ATT&CK tactics:

Reconnaissance — Scanning, phishing for information, search techniques
Initial Access — Phishing, exploitation, trusted relationships
Execution — PowerShell, scripting, scheduled tasks, WMI
Persistence — Registry run keys, scheduled tasks, account creation
Privilege Escalation — UAC bypass, access token manipulation
Defense Evasion — Log clearing, obfuscation, signed binary proxy execution
Credential Access — LSASS dumping, password spraying, Kerberoasting
Discovery — Network scanning, system enumeration, AD discovery
Lateral Movement — RDP, SMB, WinRM, DCOM
Collection — Clipboard, email, browser data
Command and Control — Encrypted channels, proxy, DNS tunneling
Exfiltration — Exfil over C2, web services, alternative protocols
Impact — Ransomware, data destruction, defacement

You can explore the full coverage on our ATT&CK Matrix view, which visualises exactly which techniques have detections and which are coming next.

Getting Started

Every detection in the df00tech library is available on our free tier — you can browse, copy, and deploy all KQL and SPL queries immediately. No signup required to view detection rules.

For teams that want the full package — response playbooks, atomic tests, investigation guides, and tuning guidance — our Pro tier provides everything a detection engineering team needs to go from alert to resolution.

Browse the full library at df00tech.com/detections and start closing your detection gaps today.