coverage-gap: weekly ATT&CK coverage holes — 2026-07-15
I have everything I need. Verification notes from live MITRE (ATT&CK v16/17): T1558.001 = Golden Ticket, .002 = Silver Ticket confirmed (and note T1558 gained a .005 Ccache Files since this repo's layer was cut). T1557.001 was renamed from "LLMNR/NBT-NS Poisoning and SMB Relay" to "Name Resolution Poisoning and SMB Relay" — an ID-label move worth flagging. TA0011 = Command and Control confirmed.
/coverage-gap — the whole matrix
Baseline (from the drift-gated artifacts): 65 rules · 41 techniques · 9 of 14 ATT&CK tactics in COVERAGE.md. The two network detections (network/suricata/coercion.rules → T1187, network/zeek/kerberoast-rc4.zeek → T1558.003) are not counted by the sigma-only roll-up, but both map to tactics already covered — so they add depth, not a new tactic. Net tactic count stands at 9/14.
1. Zero-coverage tactics (5 of 14) — intended vs. out of scope
| Tactic (ID) |
In methodology? |
Verdict |
| Command and Control (TA0011) |
Yes — "Exfil / C2" row (Suricata, Zeek conn/dns) |
Intended hole — the marquee gap |
| Reconnaissance (TA0043) |
Yes — "Recon / Discovery" row (Zeek, 4688/4769) |
Intended hole (thin, see §2) |
| Resource Development (TA0042) |
No |
Legitimately out of scope |
| Initial Access (TA0001) |
No |
Legitimately out of scope |
| Impact (TA0040) |
No |
Legitimately out of scope |
Three of the five zero tactics are correctly out of scope for a detection-engineering repo. Only two — C2 and Recon — are holes against the repo's own stated intent.
2. Thin tactics (present but fragile / below intent)
- Discovery (TA0007) — 2 techniques but one rule (
sharphound_ldap_sweep_4662 carries both T1069.002 and T1087.002). A single fragile rule for a tactic the methodology pairs at the top of its map. LDAP recon (4648 fan-out) from Kali's PURPLE-TEAM is uncovered.
- Exfiltration (TA0010) — 2 rules, but both SaaS (
slack_external_shared_channel, snowflake_data_unload). The methodology's intended exfil data source is network (Suricata, Zeek conn/dns) — T1048/T1041 are unmet. Present-but-wrong-logsource vs. intent.
- Lateral Movement (TA0008) — 5 rules, but the classic on-prem
4624 type-3 fan-out (pass-the-hash / cred reuse) is missing.
- Collection (TA0009) — 1 technique / 1 rule; not named in the methodology, so this is a bonus, not a measured gap.
3 & 4. Ranked holes — intended techniques with no detection (most central first)
| # |
Tactic / technique (verified ID) |
Coverage |
Why it matters for this repo |
Logsource a rule would use |
| 1 |
C2 — Application Layer / DNS / Tunneling (T1071, T1071.004, T1572, T1573) |
0 |
Whole intended tactic empty despite stood-up-but-empty network/{zeek,suricata} dirs. The "Exfil / C2" methodology row has no C2 half. |
Zeek dns.log/conn.log, Suricata |
| 2 |
NTLM relay (T1557.001 — renamed "Name Resolution Poisoning and SMB Relay") |
0 Sigma; coercion bind caught by coercion.rules (T1187) |
The flagship "coercion → relay → DC compromise" chain is half-blind: the bind fires, the relayed logon (4624 workstation/source mismatch) does not. Kali has ntlm-relay-4624. |
Windows 4624 |
| 3 |
Golden / Silver Ticket (T1558.001, T1558.002) |
0 |
Credential Access is the repo's deepest AD area (roasting, DCSync, ADCS all covered) yet the two Kerberos forgery sub-techniques are absent. Kali ships both (golden-ticket-4769, silver-ticket-4769). |
4769/4768 correlation |
| 4 |
Reconnaissance / LDAP recon (T1087, T1046; 4648 fan-out) |
0 (Recon), thin (Discovery) |
Intended "Recon/Discovery" row carried by one SharpHound rule; no explicit-cred/host recon. |
4648, 4662, Zeek |
| 5 |
Network exfil (T1048, T1041) |
0 on network (SaaS-only present) |
Methodology intends network exfil; only SaaS covered. |
Zeek conn.log, Suricata |
| 6 |
Lateral 4624 type-3 fan-out / Pass-the-Hash (T1550.002, T1021) |
0 |
Classic on-prem lateral movement; Kali has lateral-4624-fanout. |
Windows 4624 type 3 |
| 7 |
Unconstrained delegation abuse; DPAPI domain backup-key (T1187-adjacent; DPAPI ID uncertain — MS-BKRP maps loosely to T1555 / T1552.004, verify before tagging) |
0 |
Soft/narrow AD tail from Kali companion (unconstrained-deleg-4624, dpapi-backupkey-5145). |
4624, 5145 |
Red↔blue (Kali sibling present). Of the 20 companion-generated PURPLE-TEAM entries, 14 have a blue mirror here; the 6 without detection are rows #2, #3 (×2), #6, #7 (×2) above — plus hand-authored Kali items (LDAP recon 4648, remote secretsdump 5145, LOLBAS/obfuscation 4688, rogue account 4720) that have no blue counterpart. The split is otherwise clean — attacker-authored detections stayed in Kali.
Headline
9 of 14 tactics covered; 3 of the 5 gaps are legitimately out of scope, so the real score against intent is 9 of 11 intended tactics. The highest-value hole is Command and Control (TA0011) — an entire intended tactic sitting at zero while its data-source path (network/zeek, network/suricata) is already scaffolded but empty. The single highest-leverage technique to close is NTLM relay detection (T1557.001, 4624 mismatch), which would complete the repo's flagship coercion→relay→DC chain that is currently only half-instrumented.
Report only — no rules authored, red↔blue split intact. If you want to close any of these, a rule lands under detections/sigma/ (or network/ for the C2/exfil holes) and must regenerate gen-coverage.sh, gen-navigator.sh, gen-siem.sh. Say which hole and I'll draft it.
Filed by the claude-routines workflow. Report-first: review and act — nothing was changed.
coverage-gap: weekly ATT&CK coverage holes — 2026-07-15
I have everything I need. Verification notes from live MITRE (ATT&CK v16/17): T1558.001 = Golden Ticket, .002 = Silver Ticket confirmed (and note T1558 gained a .005 Ccache Files since this repo's layer was cut). T1557.001 was renamed from "LLMNR/NBT-NS Poisoning and SMB Relay" to "Name Resolution Poisoning and SMB Relay" — an ID-label move worth flagging. TA0011 = Command and Control confirmed.
/coverage-gap — the whole matrix
Baseline (from the drift-gated artifacts): 65 rules · 41 techniques · 9 of 14 ATT&CK tactics in
COVERAGE.md. The two network detections (network/suricata/coercion.rules→ T1187,network/zeek/kerberoast-rc4.zeek→ T1558.003) are not counted by the sigma-only roll-up, but both map to tactics already covered — so they add depth, not a new tactic. Net tactic count stands at 9/14.1. Zero-coverage tactics (5 of 14) — intended vs. out of scope
Three of the five zero tactics are correctly out of scope for a detection-engineering repo. Only two — C2 and Recon — are holes against the repo's own stated intent.
2. Thin tactics (present but fragile / below intent)
sharphound_ldap_sweep_4662carries both T1069.002 and T1087.002). A single fragile rule for a tactic the methodology pairs at the top of its map. LDAP recon (4648fan-out) from Kali's PURPLE-TEAM is uncovered.slack_external_shared_channel,snowflake_data_unload). The methodology's intended exfil data source is network (Suricata, Zeek conn/dns) — T1048/T1041 are unmet. Present-but-wrong-logsource vs. intent.4624type-3 fan-out (pass-the-hash / cred reuse) is missing.3 & 4. Ranked holes — intended techniques with no detection (most central first)
network/{zeek,suricata}dirs. The "Exfil / C2" methodology row has no C2 half.dns.log/conn.log, Suricatacoercion.rules(T1187)4624workstation/source mismatch) does not. Kali hasntlm-relay-4624.4624golden-ticket-4769,silver-ticket-4769).4769/4768correlation4648fan-out)4648,4662, Zeekconn.log, Suricatalateral-4624-fanout.4624type 3unconstrained-deleg-4624,dpapi-backupkey-5145).4624,5145Red↔blue (Kali sibling present). Of the 20 companion-generated PURPLE-TEAM entries, 14 have a blue mirror here; the 6 without detection are rows #2, #3 (×2), #6, #7 (×2) above — plus hand-authored Kali items (LDAP recon
4648, remote secretsdump5145, LOLBAS/obfuscation4688, rogue account4720) that have no blue counterpart. The split is otherwise clean — attacker-authored detections stayed in Kali.Headline
9 of 14 tactics covered; 3 of the 5 gaps are legitimately out of scope, so the real score against intent is 9 of 11 intended tactics. The highest-value hole is Command and Control (TA0011) — an entire intended tactic sitting at zero while its data-source path (
network/zeek,network/suricata) is already scaffolded but empty. The single highest-leverage technique to close is NTLM relay detection (T1557.001,4624mismatch), which would complete the repo's flagship coercion→relay→DC chain that is currently only half-instrumented.Report only — no rules authored, red↔blue split intact. If you want to close any of these, a rule lands under
detections/sigma/(ornetwork/for the C2/exfil holes) and must regenerategen-coverage.sh,gen-navigator.sh,gen-siem.sh. Say which hole and I'll draft it.Filed by the claude-routines workflow. Report-first: review and act — nothing was changed.