Skip to content

coverage-gap: weekly ATT&CK coverage holes #64

Description

@github-actions

coverage-gap: weekly ATT&CK coverage holes — 2026-07-15

I have everything I need. Verification notes from live MITRE (ATT&CK v16/17): T1558.001 = Golden Ticket, .002 = Silver Ticket confirmed (and note T1558 gained a .005 Ccache Files since this repo's layer was cut). T1557.001 was renamed from "LLMNR/NBT-NS Poisoning and SMB Relay" to "Name Resolution Poisoning and SMB Relay" — an ID-label move worth flagging. TA0011 = Command and Control confirmed.


/coverage-gap — the whole matrix

Baseline (from the drift-gated artifacts): 65 rules · 41 techniques · 9 of 14 ATT&CK tactics in COVERAGE.md. The two network detections (network/suricata/coercion.rules → T1187, network/zeek/kerberoast-rc4.zeek → T1558.003) are not counted by the sigma-only roll-up, but both map to tactics already covered — so they add depth, not a new tactic. Net tactic count stands at 9/14.

1. Zero-coverage tactics (5 of 14) — intended vs. out of scope

Tactic (ID) In methodology? Verdict
Command and Control (TA0011) Yes — "Exfil / C2" row (Suricata, Zeek conn/dns) Intended hole — the marquee gap
Reconnaissance (TA0043) Yes — "Recon / Discovery" row (Zeek, 4688/4769) Intended hole (thin, see §2)
Resource Development (TA0042) No Legitimately out of scope
Initial Access (TA0001) No Legitimately out of scope
Impact (TA0040) No Legitimately out of scope

Three of the five zero tactics are correctly out of scope for a detection-engineering repo. Only two — C2 and Recon — are holes against the repo's own stated intent.

2. Thin tactics (present but fragile / below intent)

  • Discovery (TA0007) — 2 techniques but one rule (sharphound_ldap_sweep_4662 carries both T1069.002 and T1087.002). A single fragile rule for a tactic the methodology pairs at the top of its map. LDAP recon (4648 fan-out) from Kali's PURPLE-TEAM is uncovered.
  • Exfiltration (TA0010) — 2 rules, but both SaaS (slack_external_shared_channel, snowflake_data_unload). The methodology's intended exfil data source is network (Suricata, Zeek conn/dns) — T1048/T1041 are unmet. Present-but-wrong-logsource vs. intent.
  • Lateral Movement (TA0008) — 5 rules, but the classic on-prem 4624 type-3 fan-out (pass-the-hash / cred reuse) is missing.
  • Collection (TA0009) — 1 technique / 1 rule; not named in the methodology, so this is a bonus, not a measured gap.

3 & 4. Ranked holes — intended techniques with no detection (most central first)

# Tactic / technique (verified ID) Coverage Why it matters for this repo Logsource a rule would use
1 C2 — Application Layer / DNS / Tunneling (T1071, T1071.004, T1572, T1573) 0 Whole intended tactic empty despite stood-up-but-empty network/{zeek,suricata} dirs. The "Exfil / C2" methodology row has no C2 half. Zeek dns.log/conn.log, Suricata
2 NTLM relay (T1557.001 — renamed "Name Resolution Poisoning and SMB Relay") 0 Sigma; coercion bind caught by coercion.rules (T1187) The flagship "coercion → relay → DC compromise" chain is half-blind: the bind fires, the relayed logon (4624 workstation/source mismatch) does not. Kali has ntlm-relay-4624. Windows 4624
3 Golden / Silver Ticket (T1558.001, T1558.002) 0 Credential Access is the repo's deepest AD area (roasting, DCSync, ADCS all covered) yet the two Kerberos forgery sub-techniques are absent. Kali ships both (golden-ticket-4769, silver-ticket-4769). 4769/4768 correlation
4 Reconnaissance / LDAP recon (T1087, T1046; 4648 fan-out) 0 (Recon), thin (Discovery) Intended "Recon/Discovery" row carried by one SharpHound rule; no explicit-cred/host recon. 4648, 4662, Zeek
5 Network exfil (T1048, T1041) 0 on network (SaaS-only present) Methodology intends network exfil; only SaaS covered. Zeek conn.log, Suricata
6 Lateral 4624 type-3 fan-out / Pass-the-Hash (T1550.002, T1021) 0 Classic on-prem lateral movement; Kali has lateral-4624-fanout. Windows 4624 type 3
7 Unconstrained delegation abuse; DPAPI domain backup-key (T1187-adjacent; DPAPI ID uncertain — MS-BKRP maps loosely to T1555 / T1552.004, verify before tagging) 0 Soft/narrow AD tail from Kali companion (unconstrained-deleg-4624, dpapi-backupkey-5145). 4624, 5145

Red↔blue (Kali sibling present). Of the 20 companion-generated PURPLE-TEAM entries, 14 have a blue mirror here; the 6 without detection are rows #2, #3 (×2), #6, #7 (×2) above — plus hand-authored Kali items (LDAP recon 4648, remote secretsdump 5145, LOLBAS/obfuscation 4688, rogue account 4720) that have no blue counterpart. The split is otherwise clean — attacker-authored detections stayed in Kali.

Headline

9 of 14 tactics covered; 3 of the 5 gaps are legitimately out of scope, so the real score against intent is 9 of 11 intended tactics. The highest-value hole is Command and Control (TA0011) — an entire intended tactic sitting at zero while its data-source path (network/zeek, network/suricata) is already scaffolded but empty. The single highest-leverage technique to close is NTLM relay detection (T1557.001, 4624 mismatch), which would complete the repo's flagship coercion→relay→DC chain that is currently only half-instrumented.


Report only — no rules authored, red↔blue split intact. If you want to close any of these, a rule lands under detections/sigma/ (or network/ for the C2/exfil holes) and must regenerate gen-coverage.sh, gen-navigator.sh, gen-siem.sh. Say which hole and I'll draft it.

Filed by the claude-routines workflow. Report-first: review and act — nothing was changed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions