← Blog · · df00tech

Top 20 Most Important MITRE ATT&CK Techniques for SOC Analysts to Detect

MITRE ATT&CK SOC detection engineering prioritization top techniques

MITRE ATT&CK has ~700 sub-techniques. A small subset account for ~80% of what SOC analysts actually see. Covering those 20 well beats covering 200 badly.

That’s the central truth of detection engineering prioritization. If you’re building a detection program from scratch, or auditing whether your existing coverage is aimed at the right threats, this list is where to start. Every technique below appears repeatedly across ransomware post-mortems, APT reporting from Mandiant and CrowdStrike, and CISA advisories. They are the important ATT&CK techniques — not because MITRE says so, but because attackers keep using them and defenders keep missing them.

Each entry links to a full detection page at df00tech with KQL and SPL queries, playbooks, and atomic tests. Cover these 20 with high-fidelity detection and you will catch the majority of real intrusions.

The 20 Techniques That Actually Matter

1. T1566.001 Spearphishing Attachment

The front door for 80% of ransomware and APT intrusions. A user receives an email with a weaponized document, archive, or OneNote file and opens it. Why it matters: initial access is the earliest detection opportunity in the kill chain — catching it here prevents everything downstream. Scattered Spider, BlackCat, and APT29 all rely heavily on attachment-based phishing.

2. T1204.002 User Execution: Malicious File

Phishing only works if the user runs the payload. This technique covers the moment a user double-clicks the .lnk, .iso, or .docm. Why it matters: process lineage from Outlook.exe or WinRAR.exe to office suites, scripting engines, or LOLBins is one of the cleanest signals in your telemetry. Qakbot, IcedID, and Bumblebee all rely on this user interaction step.

3. T1059.001 PowerShell

PowerShell is the Swiss Army knife of post-exploitation. Encoded commands, download cradles, AMSI bypasses — every offensive framework from Cobalt Strike to Sliver leans on it. Why it matters: a single well-tuned PowerShell detection catches activity from initial execution through lateral movement. Here’s a slice of the df00tech detection looking for the key indicators:

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ")
| extend DownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadString")
| extend AmsiBypass = ProcessCommandLine has_any ("AmsiUtils", "amsiInitFailed")
| where EncodedCmd or DownloadCradle or AmsiBypass
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

4. T1059.003 Windows Command Shell

cmd.exe is older than PowerShell and just as abused — often as the glue between phishing payloads, LOLBin chains, and final malware. Why it matters: cmd.exe spawned by Office applications, Adobe Reader, or browsers is almost always malicious. LockBit, Clop, and Conti all use cmd for early-stage recon and payload staging.

5. T1027 Obfuscated Files or Information

Base64-encoded PowerShell, XOR’d payloads, compressed archives inside ISO containers — obfuscation is how attackers defeat signature-based detection. Why it matters: detecting the obfuscation itself (high-entropy strings, oversized Base64 blobs, nested archive layers) catches attacks regardless of the final payload. Used universally by APT29, FIN7, and every ransomware operator since 2020.

6. T1055 Process Injection

Injecting code into a legitimate process (explorer.exe, svchost.exe, notepad.exe) hides attacker activity behind trusted binaries. Why it matters: process injection is the defining behavior of Cobalt Strike beacons, Meterpreter sessions, and post-exploitation frameworks — detecting it catches sophisticated operators that bypass signature tools. APT41, Lazarus, and every red team use this constantly.

7. T1003.001 LSASS Memory Dumping

The single most impactful credential theft technique. LSASS memory holds NTLM hashes, Kerberos tickets, and sometimes cleartext passwords for every logged-on user. Why it matters: one successful LSASS dump on a jump server can yield domain admin. Used by Mimikatz, Cobalt Strike sekurlsa, ProcDump, comsvcs.dll MiniDump, Volt Typhoon, and virtually every ransomware crew. Core of the df00tech detection:

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccessed"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "csrss.exe", "services.exe", "svchost.exe",
    "winlogon.exe", "wininit.exe", "SecurityHealthService.exe")
| where InitiatingProcessGrantedAccessMask in (
    "0x1fffff", "0x1f3fff", "0x143a", "0x1410", "0x1010", "0x40")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessGrantedAccessMask

8. T1003.002 Security Account Manager

The SAM hive stores local account password hashes. Attackers dump it via reg save, volume shadow copy, or direct registry read — often as a fallback when LSASS is protected. Why it matters: SAM dumping yields local admin credentials that attackers reuse across the environment via pass-the-hash. Common in Emotet, Trickbot, and ransomware affiliates targeting workgroup machines.

9. T1021.001 Remote Desktop Protocol

RDP is the most common lateral movement method in ransomware intrusions — partly because it’s often already whitelisted internally. Why it matters: RDP connections from non-admin workstations, from external IPs, or to domain controllers are red flags. LockBit, BlackCat, Akira, and Play all use RDP extensively once inside.

10. T1021.002 SMB / Admin Shares

Using admin$, C$, and IPC$ shares to copy tools and execute remotely is the classic “spread like a worm” pattern — the core of PsExec, WMIC, and Cobalt Strike’s jump smb_psexec. Why it matters: SMB lateral movement from a single compromised workstation can touch dozens of hosts in minutes. Ryuk, Conti, and the NotPetya destructor all weaponized this.

11. T1053.005 Scheduled Task

schtasks.exe /create is the simplest persistence mechanism on Windows and one of the most abused. Why it matters: a malicious scheduled task survives reboots, runs as SYSTEM on demand, and blends in with thousands of legitimate tasks. APT28, Turla, and most commodity malware families drop scheduled tasks for persistence.

12. T1547.001 Registry Run Keys / Startup Folder

The oldest persistence trick in Windows — write to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the payload launches at every logon. Why it matters: still used by Emotet, Qakbot, AgentTesla, and countless stealers because it’s cheap and works. Detection is simple if you’re monitoring registry writes, which many shops still are not.

13. T1543.003 Windows Service (persistence)

Creating a new Windows service — via sc create, New-Service, or registry manipulation — gives attackers SYSTEM-level persistence that runs at boot. Why it matters: SYSTEM-level service persistence is extremely resilient and hard to clean up once established. Used by every major APT group (APT29, Turla, Sandworm) and by ransomware affiliates for dwell time.

14. T1078 Valid Accounts

Attackers love stolen credentials because they bypass most malware-focused detection. A legitimate VPN login from a compromised account looks identical to a real user — until you correlate with impossible travel, new device, or off-hours access. Why it matters: valid account abuse is the top initial access vector in breach reports. Scattered Spider and SilverTerrier specialize in it.

15. T1110 Brute Force

Password spraying, credential stuffing, and traditional brute force against cloud and on-prem identity. Why it matters: these attacks are cheap and constant — the question is whether your detection fires before the attacker finds a weak password. Every Okta, Microsoft 365, and VPN endpoint is being sprayed right now. APT29 and Midnight Blizzard have made password spraying a signature technique.

16. T1071.001 Web Protocols (C2)

HTTP and HTTPS are the dominant command-and-control channels because they traverse almost every firewall. Beacons from Cobalt Strike, Sliver, Havoc, and Mythic all default to web C2. Why it matters: detecting C2 beaconing via periodic request patterns, unusual user agents, or rare destination domains catches active intrusions mid-operation. Foundational to Volt Typhoon, APT41, and every modern adversary.

17. T1572 Protocol Tunneling

Wrapping C2 traffic inside DNS, ICMP, or SSH tunnels to bypass egress controls. Why it matters: when web C2 is blocked, attackers tunnel — and many networks have no visibility into DNS or ICMP payload content. APT32 (OceanLotus), Lazarus, and ransomware affiliates increasingly use DNS tunneling for exfiltration and C2.

18. T1105 Ingress Tool Transfer

The download step — bringing second-stage tools into the victim environment using certutil, bitsadmin, PowerShell, curl, or LOLBin downloaders. Why it matters: initial access delivers a small stager; the full toolkit arrives via T1105. Catching the download catches the escalation. Used universally — from commodity loaders to APT29 and Volt Typhoon.

19. T1486 Data Encrypted for Impact (ransomware)

The moment ransomware encrypts files is too late to stop the incident, but detection here is still critical — every minute of containment reduces blast radius. Why it matters: rapid mass file writes, shadow copy deletion (vssadmin delete shadows), and boot configuration tampering are detectable pre-encryption and during encryption. LockBit, BlackCat, Royal, Akira, and Play all exhibit the same detectable patterns.

20. T1562.001 Disable or Modify Tools (EDR evasion)

Before detonating ransomware or dumping credentials, sophisticated attackers disable EDR. Service stops, driver unloads, tampering with Defender exclusions, and BYOVD (bring-your-own-vulnerable-driver) attacks all fall here. Why it matters: if your EDR goes silent, your detection goes with it — monitoring EDR health itself is non-negotiable. Scattered Spider, BlackCat, and LockBit operators are aggressive EDR killers.

How to Use This List

Treat these 20 as a baseline coverage audit. For each one, ask:

  • Do we have a detection? If no, that’s a gap. Start there.
  • Is it tested? Run the atomic test. If it doesn’t fire, your detection is broken.
  • Is it tuned? A detection that alerts 200 times a day is a detection that analysts ignore. Tune the false positives until signal-to-noise is usable.
  • Is it scheduled? Hunting queries that run once never catch anything. Convert proven queries into scheduled analytics.

The mistake most SOC teams make is chasing coverage breadth — trying to hit every MITRE technique — before nailing the important ones. A detection program that catches T1003.001, T1059.001, T1021.001, T1486, and T1562.001 reliably will catch more real intrusions than a program covering 400 techniques poorly.

Going Deeper

Each of the 20 detections linked above includes full KQL and SPL queries, SPL/Elastic/Chronicle/Sumo translations, response playbooks, and atomic red team tests. Every query is production-tested and free to use.

Browse the full df00tech detection library — 700+ KQL and SPL queries mapped to MITRE ATT&CK, free forever.