← Back to Blog
SOC Intermediate 10 min

Practical MITRE ATT&CK Framework for SOC Analysts

A hands-on guide to using MITRE ATT&CK in a real SOC: mapping alerts to techniques, writing detections, and finding coverage gaps with ATT&CK Navigator.

MITRE ATT&CKSOCThreat DetectionBlue TeamDetection Engineering
Practical MITRE ATT&CK Framework for SOC Analysts

MITRE ATT&CK gets name dropped in almost every security job description, yet a lot of analysts only ever see it as a wall of colorful tiles. In a working SOC, ATT&CK is far more than a poster. It is a shared language for describing how adversaries behave, and it quietly drives detection engineering, threat hunting, and coverage reporting. This guide shows how I actually use it.

What ATT&CK Really Is

ATT&CK is a knowledge base of real adversary behavior, organized into tactics and techniques.

  • A tactic is the attacker’s goal at a moment in time. Examples: Initial Access, Persistence, Privilege Escalation, Exfiltration.
  • A technique is how they reach that goal. Under Persistence you will find “Scheduled Task/Job” (T1053) and “Create Account” (T1136).
  • Sub-techniques add detail. T1053.005 is specifically the Windows Scheduled Task variant.

The power is that every technique has a stable ID. When I say T1059.001, any analyst anywhere knows I mean PowerShell command execution. That precision is what makes ATT&CK useful for automation.

Mapping an Alert to ATT&CK

Theory is cheap, so here is the workflow I run on a live alert. Suppose the SIEM fires on a suspicious process chain: Microsoft Word spawns cmd.exe, which then launches an encoded PowerShell command.

  1. Word spawning a shell points to Initial Access through a malicious document, T1566.001 (Spearphishing Attachment), paired with Execution via T1204.002 (Malicious File).
  2. The shell launching PowerShell is Execution, T1059.001.
  3. The encoded command is a Defense Evasion signal, T1027 (Obfuscated Files or Information).

In two minutes the messy alert becomes a clean story: phishing document, user execution, obfuscated PowerShell. Now I know which host artifacts to pull and which follow on techniques to hunt for, such as persistence or credential access.

Detection Engineering with ATT&CK

Once you think in techniques, writing detections becomes systematic. Take T1059.001. A simple Sigma rule that flags encoded PowerShell looks like this:

title: Encoded PowerShell Command
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - ' -enc '
      - ' -EncodedCommand '
  condition: selection
tags:
  - attack.execution
  - attack.t1059.001
level: high

Tagging the rule with the technique ID is the important part. Later, when a lead asks “are we covered for PowerShell abuse,” I answer with data instead of a guess.

Finding Gaps with ATT&CK Navigator

ATT&CK Navigator is a free tool that renders the matrix as an interactive heat map. I keep two layers:

  • A coverage layer that scores each technique by how well our detections see it.
  • A threat layer built from techniques used by groups that target our sector.

Overlaying the two instantly shows the dangerous gaps: techniques our adversaries love that we cannot currently detect. That overlap, not raw rule count, is where the next detection should go. This is the core idea behind threat informed defense.

Turning ATT&CK into Threat Hunts

ATT&CK is also a hunt backlog. Pick a technique that is hard to alert on reliably, form a hypothesis, and go looking. For T1053.005 (Scheduled Task), the hypothesis might be “an attacker created a task for persistence.” The hunt becomes a query for task creation events outside maintenance windows, by non administrative users, pointing at scripts in temporary directories. Every hunt either finds something or becomes a new detection idea.

Key Takeaways

  • ATT&CK is a shared vocabulary, not a checklist. Use the technique IDs everywhere.
  • Map alerts to tactics and techniques to turn noise into a clear attacker narrative.
  • Tag every detection rule with its technique so coverage becomes measurable.
  • Overlay your coverage against real threat intelligence in Navigator to prioritize work.
  • Treat unmapped techniques as a ready made threat hunting backlog.

Start small. Pick five techniques relevant to your environment, write or verify detections for each, and tag them. Within a week you will see the SOC differently.

// Discussion

Enjoyed this? Let us work together.

I am open to security internships and junior roles.