Skip to content

Detection Coverage Matrix

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Detection Coverage Matrix

Maps each observable behavior to the detections that cover it, the telemetry required, the ATT&CK technique, and a confidence rating.

Behavior ATT&CK Detection(s) Telemetry required Confidence
Tool executed by name T1555.003 Sigma 9.1, Hunt 1 Process creation (Sysmon 1 / 4688 / EDR) High
Tool executed by flag T1555.003 Sigma 9.1, Hunt 1 Process creation w/ command line Med–High*
Non-browser reads credential store T1555.003 / T1552.001 Sigma 9.2, Hunt 2 File access (Sysmon 11/23, 4663, EDR file events) Med–High
Session cookie theft T1539 Sigma 9.2, IOCs File access to Cookies store Med
Stealer DB / copied store in odd path T1074.001 Sigma 9.3, Hunt 3 File create (Sysmon 11) Med
C:\Users\Public\NTUSER.dat drop T1074.001 Sigma 9.4, Hunt 4 File create (Sysmon 11) Very High
Masquerade as browser binary T1036.005 Sigma 9.5, Hunt 5 Process creation w/ signature fields Very High
Scheduled-task persistence (shaddy43) T1053.005 Sigma 9.6, Hunt 6 Security 4698/4699, TaskScheduler 106/141 Very High
Binary on disk / in memory T1555.003 YARA File or memory scanning High
DPAPI / AES-GCM decryption T1140 Behavioral API telemetry / EDR Low–Med
Exfiltration of stealer DB T1041 IOCs — Network Network (Sysmon 3, proxy, NetFlow) Low (variant-dependent)

* Confidence depends on tuning, see the flag tuning note.


Telemetry prerequisites

To get full coverage, ensure the following are enabled:

  • Process creation with command line — Sysmon Event ID 1, or Windows Security 4688 with command-line auditing enabled (Include command line in process creation events GPO), or EDR process telemetry.
  • File create / file access — Sysmon Event ID 11 (create) and 23/26 (delete); Windows 4663 requires SACLs on the target files.
  • Process image signature fields — Sysmon config with <HashAlgorithms> and signature capture, or EDR that records signer/signature status (paired with 9.5, high confidence).
  • Scheduled task auditing — Windows Security 4698/4699 (enable "Audit Other Object Access Events"), plus the TaskScheduler Operational log (106/141).
  • Network connection — Sysmon Event ID 3 and/or proxy/DNS logs for the exfil hunts.

Deployment priority

If you can only deploy a few detections first, start with the Very High confidence items, they have near-zero false positives:

  1. Sigma 9.4 — Public NTUSER.dat
  2. Sigma 9.6 — Scheduled task author shaddy43
  3. Sigma 9.5 — Browser masquerade
  4. YARA rule + Sigma 9.1 execution

Continue to → Validation & Lab Testing

Clone this wiki locally