SCENARIO

The MITRE ATT&CK framework catalogs 14 tactics and 200+ techniques used by adversaries. Security teams need to proactively hunt for these techniques in their environment rather than waiting for signature-based detections. Traditional threat hunting requires manually writing queries for each technique, which is time-consuming and requires deep ATT&CK knowledge.

Use this guide when you need to:

Hunt for specific MITRE ATT&CK techniques in your environment
Validate security controls against ATT&CK techniques
Investigate if specific APT groups' TTPs exist in your environment
Create detection coverage maps showing which techniques you can detect
Implement threat-informed defense based on ATT&CK framework

Business Impact:

Proactive threat hunting: Identify threats before they cause damage
Coverage validation: Verify detection capabilities against ATT&CK matrix
Threat-informed defense: Prioritize defenses based on relevant TTPs
APT hunting: Search for specific adversary group behaviors

SentinelOne MITRE ATT&CK integration enables technique-based threat hunting via Deep Visibility with pre-built ATT&CK queries.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

SentinelOne Singularity Complete license
Deep Visibility data: Minimum 90 days retention recommended
MITRE ATT&CK knowledge: Familiarity with tactics and techniques

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Navigate to Console → Visibility → MITRE ATT&CK
ATT&CK Matrix displays:
- 14 Tactics (columns): Initial Access, Execution, Persistence, etc.
- 200+ Techniques (rows): T1055 Process Injection, T1059 Command Execution, etc.
- Coverage Indicators: Green = detected in environment, Red = no coverage, Yellow = partial

Step 2: Hunt for specific ATT&CK technique

Example: Hunt for T1055 - Process Injection

Click technique T1055 (Process Injection)
Technique details display:
- Description: Adversaries inject code into processes to evade defenses
- Sub-techniques: DLL Injection, PE Injection, Thread Execution Hijacking
- Detection Logic: Pre-built Deep Visibility query
Click "Hunt for This Technique"

Deep Visibility query executes:

EventType = "Cross Process" AND
(CrossProcAction CONTAINS "CreateRemoteThread" OR
 CrossProcAction CONTAINS "WriteProcessMemory" OR
 CrossProcAction CONTAINS "SetWindowsHookEx")

Review results:
- Total Events: 23 process injection events detected
- Endpoints: 5 unique endpoints
- Time Range: Last 30 days
Investigate findings:
- Click event to view Storyline
- Determine if malicious (attack) or benign (legitimate software)

Result: Proactive detection of process injection techniques across environment.

Step 3: Hunt for APT group TTPs

Example: Hunt for APT29 (Cozy Bear) techniques

Research APT29 TTPs:
- Navigate to https://attack.mitre.org/groups/G0016/
- APT29 commonly uses:
  - T1566.001: Phishing (Spearphishing Attachment)
  - T1059.001: PowerShell
  - T1003.001: Credential Dumping (LSASS)
  - T1071.001: C2 via Web Protocols

Hunt for T1003.001 (LSASS Credential Dumping):

EventType = "Cross Process" AND
TgtProcName CONTAINS "lsass.exe" AND
CrossProcAction CONTAINS "OpenProcess"

Hunt for T1059.001 (PowerShell Execution):

EventType = "Process Creation" AND
SrcProcName CONTAINS "powershell.exe" AND
SrcProcCmdLine CONTAINS ("-encodedcommand", "-enc", "iex", "Invoke-Expression")

Hunt for T1071.001 (C2 Web Protocols):

EventType = "Network Connection" AND
DstPort IN (443, 8443) AND
NetTxBytes > 10000000  # >10MB uploaded

Correlate findings:
- Do multiple APT29 techniques appear on same endpoint?
- Are they within the same timeframe? (indicates coordinated attack)

Result: Targeted hunt for specific threat actor behaviors.

Step 4: Generate ATT&CK coverage report

Navigate to Console → Reports → ATT&CK Coverage
Configure report:
- Time Range: Last 90 days
- Scope: All sites
- Output: PDF
Report includes:
- Coverage Heatmap: Visual matrix showing detection coverage
  - Green: Technique detected in environment (you have visibility)
  - Yellow: Partial coverage (some sub-techniques detected)
  - Red: No coverage (blind spot)
- Top Detected Techniques: Most common TTPs in your environment
- Blind Spots: Techniques with zero coverage (prioritize adding detection)
Use report for:
- Security roadmap: Prioritize adding detection for red/yellow techniques
- Executive briefings: Show security posture against ATT&CK framework
- Compliance: Demonstrate defense-in-depth coverage

Result: Data-driven understanding of detection capabilities mapped to ATT&CK.

Step 5: Create custom STAR rules for ATT&CK techniques

Example: Auto-detect and block T1003.001 (LSASS Dumping)

Navigate to Sentinels → STAR Custom Rules
Click + Create Rule
Configure rule:
- Rule Name: Detect_T1003.001_LSASS_Dumping
- MITRE ATT&CK: T1003.001
- Query:
```
EventType = "Cross Process" AND
TgtProcName CONTAINS "lsass.exe" AND
CrossProcAction CONTAINS "OpenProcess"
```
- Response: Kill Process + Network Quarantine + Alert (Critical)
Save and enable rule

Result: Automated detection and response for specific ATT&CK technique.

Step 6: Pre-built ATT&CK hunt queries

Common Techniques and Queries:

T1059.003 - Windows Command Shell

EventType = "Process Creation" AND
SrcProcName CONTAINS "cmd.exe" AND
SrcProcCmdLine CONTAINS ("whoami", "net user", "ipconfig", "netstat")

T1547.001 - Registry Run Keys (Persistence)

EventType = "Registry Value Set" AND
RegistryKeyPath CONTAINS ("\Run", "\RunOnce", "\RunServices") AND
RegistryValueName NOT IN ("Microsoft OneDrive", "Windows Defender")

T1105 - Ingress Tool Transfer

EventType = "File Creation" AND
FilePath CONTAINS ("\Downloads\", "\Temp\") AND
(FileExtension = ".exe" OR FileExtension = ".dll") AND
NetSrcIP NOT IN CIDR ("10.0.0.0/8", "172.16.0.0/12")

T1046 - Network Service Scanning

EventType = "Network Connection" AND
DstPort IN (22, 135, 139, 445, 3389) AND
COUNT(DISTINCT DstIP) > 10  # Scanning multiple IPs

T1087.001 - Account Discovery (Domain)

EventType = "Process Creation" AND
SrcProcCmdLine CONTAINS ("net user /domain", "net group", "nltest")

VERIFICATION

Verify ATT&CK hunting is operational:

Access ATT&CK matrix: Console → Visibility → MITRE ATT&CK
Test hunt: Click any technique → "Hunt for This Technique" → Query executes
Verify results: Events returned (may be zero if technique not present)

TROUBLESHOOTING

Issue: ATT&CK query returns no results

Solutions:

Expand time range: Some techniques are rare, increase to 90-365 days
Verify data retention: Ensure Deep Visibility data exists for time range
Check query logic: Some queries may need tuning for your environment

REFERENCES

Document Version: 1.0 Last Updated: 2025-11-26

SCENARIO

Use this guide when you need to:

Hunt for specific MITRE ATT&CK techniques in your environment
Validate security controls against ATT&CK techniques
Investigate if specific APT groups' TTPs exist in your environment
Create detection coverage maps showing which techniques you can detect
Implement threat-informed defense based on ATT&CK framework

Business Impact:

Proactive threat hunting: Identify threats before they cause damage
Coverage validation: Verify detection capabilities against ATT&CK matrix
Threat-informed defense: Prioritize defenses based on relevant TTPs
APT hunting: Search for specific adversary group behaviors

SentinelOne MITRE ATT&CK integration enables technique-based threat hunting via Deep Visibility with pre-built ATT&CK queries.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

SentinelOne Singularity Complete license
Deep Visibility data: Minimum 90 days retention recommended
MITRE ATT&CK knowledge: Familiarity with tactics and techniques

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Navigate to Console → Visibility → MITRE ATT&CK
ATT&CK Matrix displays:
- 14 Tactics (columns): Initial Access, Execution, Persistence, etc.
- 200+ Techniques (rows): T1055 Process Injection, T1059 Command Execution, etc.
- Coverage Indicators: Green = detected in environment, Red = no coverage, Yellow = partial

Step 2: Hunt for specific ATT&CK technique

Example: Hunt for T1055 - Process Injection

Click technique T1055 (Process Injection)
Technique details display:
- Description: Adversaries inject code into processes to evade defenses
- Sub-techniques: DLL Injection, PE Injection, Thread Execution Hijacking
- Detection Logic: Pre-built Deep Visibility query
Click "Hunt for This Technique"

Deep Visibility query executes:

EventType = "Cross Process" AND
(CrossProcAction CONTAINS "CreateRemoteThread" OR
 CrossProcAction CONTAINS "WriteProcessMemory" OR
 CrossProcAction CONTAINS "SetWindowsHookEx")

Review results:
- Total Events: 23 process injection events detected
- Endpoints: 5 unique endpoints
- Time Range: Last 30 days
Investigate findings:
- Click event to view Storyline
- Determine if malicious (attack) or benign (legitimate software)

Result: Proactive detection of process injection techniques across environment.

Step 3: Hunt for APT group TTPs

Example: Hunt for APT29 (Cozy Bear) techniques

Research APT29 TTPs:
- Navigate to https://attack.mitre.org/groups/G0016/
- APT29 commonly uses:
  - T1566.001: Phishing (Spearphishing Attachment)
  - T1059.001: PowerShell
  - T1003.001: Credential Dumping (LSASS)
  - T1071.001: C2 via Web Protocols

Hunt for T1003.001 (LSASS Credential Dumping):

EventType = "Cross Process" AND
TgtProcName CONTAINS "lsass.exe" AND
CrossProcAction CONTAINS "OpenProcess"

Hunt for T1059.001 (PowerShell Execution):

EventType = "Process Creation" AND
SrcProcName CONTAINS "powershell.exe" AND
SrcProcCmdLine CONTAINS ("-encodedcommand", "-enc", "iex", "Invoke-Expression")

Hunt for T1071.001 (C2 Web Protocols):

EventType = "Network Connection" AND
DstPort IN (443, 8443) AND
NetTxBytes > 10000000  # >10MB uploaded

Correlate findings:
- Do multiple APT29 techniques appear on same endpoint?
- Are they within the same timeframe? (indicates coordinated attack)

Result: Targeted hunt for specific threat actor behaviors.

Step 4: Generate ATT&CK coverage report

Navigate to Console → Reports → ATT&CK Coverage
Configure report:
- Time Range: Last 90 days
- Scope: All sites
- Output: PDF
Report includes:
- Coverage Heatmap: Visual matrix showing detection coverage
  - Green: Technique detected in environment (you have visibility)
  - Yellow: Partial coverage (some sub-techniques detected)
  - Red: No coverage (blind spot)
- Top Detected Techniques: Most common TTPs in your environment
- Blind Spots: Techniques with zero coverage (prioritize adding detection)
Use report for:
- Security roadmap: Prioritize adding detection for red/yellow techniques
- Executive briefings: Show security posture against ATT&CK framework
- Compliance: Demonstrate defense-in-depth coverage

Result: Data-driven understanding of detection capabilities mapped to ATT&CK.

Step 5: Create custom STAR rules for ATT&CK techniques

Example: Auto-detect and block T1003.001 (LSASS Dumping)

Navigate to Sentinels → STAR Custom Rules
Click + Create Rule
Configure rule:
- Rule Name: Detect_T1003.001_LSASS_Dumping
- MITRE ATT&CK: T1003.001
- Query:
```
EventType = "Cross Process" AND
TgtProcName CONTAINS "lsass.exe" AND
CrossProcAction CONTAINS "OpenProcess"
```
- Response: Kill Process + Network Quarantine + Alert (Critical)
Save and enable rule

Result: Automated detection and response for specific ATT&CK technique.

Step 6: Pre-built ATT&CK hunt queries

Common Techniques and Queries:

T1059.003 - Windows Command Shell

EventType = "Process Creation" AND
SrcProcName CONTAINS "cmd.exe" AND
SrcProcCmdLine CONTAINS ("whoami", "net user", "ipconfig", "netstat")

T1547.001 - Registry Run Keys (Persistence)

EventType = "Registry Value Set" AND
RegistryKeyPath CONTAINS ("\Run", "\RunOnce", "\RunServices") AND
RegistryValueName NOT IN ("Microsoft OneDrive", "Windows Defender")

T1105 - Ingress Tool Transfer

EventType = "File Creation" AND
FilePath CONTAINS ("\Downloads\", "\Temp\") AND
(FileExtension = ".exe" OR FileExtension = ".dll") AND
NetSrcIP NOT IN CIDR ("10.0.0.0/8", "172.16.0.0/12")

T1046 - Network Service Scanning

EventType = "Network Connection" AND
DstPort IN (22, 135, 139, 445, 3389) AND
COUNT(DISTINCT DstIP) > 10  # Scanning multiple IPs

T1087.001 - Account Discovery (Domain)

EventType = "Process Creation" AND
SrcProcCmdLine CONTAINS ("net user /domain", "net group", "nltest")

VERIFICATION

Verify ATT&CK hunting is operational:

Access ATT&CK matrix: Console → Visibility → MITRE ATT&CK
Test hunt: Click any technique → "Hunt for This Technique" → Query executes
Verify results: Events returned (may be zero if technique not present)

TROUBLESHOOTING

Issue: ATT&CK query returns no results

Solutions:

Expand time range: Some techniques are rare, increase to 90-365 days
Verify data retention: Ensure Deep Visibility data exists for time range
Check query logic: Some queries may need tuning for your environment

REFERENCES

Document Version: 1.0 Last Updated: 2025-11-26

SentinelOne MITRE ATT&CK Threat Hunting

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Step 2: Hunt for specific ATT&CK technique

Step 3: Hunt for APT group TTPs

Step 4: Generate ATT&CK coverage report

Step 5: Create custom STAR rules for ATT&CK techniques

Step 6: Pre-built ATT&CK hunt queries

VERIFICATION

TROUBLESHOOTING

REFERENCES

Invoke SentinelOne Threat Hunt

SentinelOne Control vs Complete Feature Comparison

SentinelOne Deep Visibility Threat Hunting

SentinelOne MITRE ATT&CK Threat Hunting

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Step 2: Hunt for specific ATT&CK technique

Step 3: Hunt for APT group TTPs

Step 4: Generate ATT&CK coverage report

Step 5: Create custom STAR rules for ATT&CK techniques

Step 6: Pre-built ATT&CK hunt queries

VERIFICATION

TROUBLESHOOTING

REFERENCES

Invoke SentinelOne Threat Hunt

SentinelOne Control vs Complete Feature Comparison

SentinelOne Deep Visibility Threat Hunting

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Step 2: Hunt for specific ATT&CK technique

Step 3: Hunt for APT group TTPs

Step 4: Generate ATT&CK coverage report

Step 5: Create custom STAR rules for ATT&CK techniques

Step 6: Pre-built ATT&CK hunt queries

VERIFICATION

TROUBLESHOOTING

REFERENCES

Related Reading

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Access MITRE ATT&CK hunting interface

Step 2: Hunt for specific ATT&CK technique

Step 3: Hunt for APT group TTPs

Step 4: Generate ATT&CK coverage report

Step 5: Create custom STAR rules for ATT&CK techniques

Step 6: Pre-built ATT&CK hunt queries

VERIFICATION

TROUBLESHOOTING

REFERENCES

Related Reading