E8 ↔ ATT&CK Mapping — E8 Detection Lab

E8-01 Application Control

4 techniques Rules

Maturity Levels

ML1 Application control on workstations and internet-facing servers

ML2 Application control on all servers; logging of allowed/blocked events

ML3 Application control on all systems; validated against golden image

Mitigated ATT&CK Techniques

T1204.002

Malicious File (User Execution)

Prevents execution of untrusted binaries dropped via phishing

T1036.005

Match Legitimate Name or Location

Controls catch binaries even when renamed to legitimate names

T1218

System Binary Proxy Execution (LOLBAS)

ML2+ with script rule enforcement catches LOLBAS bypass

T1055

Process Injection

Blocks injection of unsigned code into trusted processes

Detection Rules in This Repo

rules/e8-01-application-control/e8_01_execution_from_user_writable_path.yml rules/e8-01-application-control/e8_01_lolbas_application_control_bypass.yml

E8-02 Patch Applications

3 techniques Rules

Maturity Levels

ML1 Patches for internet-facing services within 2 weeks; critical within 48h

ML2 Patches within 2 weeks for all; critical within 48h; removal of unsupported

ML3 Patches within 1 week; automated scanning; no unsupported software

Mitigated ATT&CK Techniques

T1203

Exploitation for Client Execution

Patched browsers and office apps cannot be exploited by known CVEs

T1190

Exploit Public-Facing Application

Patched internet-facing applications close known attack surface

T1211

Exploitation for Defense Evasion

Security product vulnerabilities closed by patching

Detection Rules in This Repo

rules/e8-02-patch-applications/e8_02_browser_spawns_shell.yml

E8-03 Configure Microsoft Office Macro Settings

3 techniques Rules

Maturity Levels

ML1 Macros disabled for users who don't need them; blocked from internet

ML2 Macros only from trusted locations; digitally signed

ML3 Macros disabled or only from trusted publishers with antivirus scan

Mitigated ATT&CK Techniques

T1566.001

Spearphishing Attachment

Macro-based phishing documents cannot execute without policy bypass

T1059.005

Visual Basic (VBA)

Macro execution policy directly controls VBA runtime access

T1105

Ingress Tool Transfer

Macros often act as first-stage downloaders

Detection Rules in This Repo

rules/e8-03-office-macros/e8_03_office_spawns_shell_process.yml rules/e8-03-office-macros/e8_03_office_writes_executable_to_disk.yml

E8-04 User Application Hardening

3 techniques Rules

Maturity Levels

ML1 Block ads and Flash; disable Java in browsers

ML2 Disable PowerShell v2; Enable Script Block Logging; disable WSH

ML3 PowerShell CLM for non-admins; block all unnecessary scripting

Mitigated ATT&CK Techniques

T1059.001

PowerShell

CLM + logging degrade PowerShell as an attacker tool

T1059.005

Visual Basic (WSH)

Disabling WSH prevents wscript/cscript execution

T1027

Obfuscated Files or Information

Script block logging captures decoded/deobfuscated content

Detection Rules in This Repo

rules/e8-04-user-app-hardening/e8_04_powershell_encoded_command.yml rules/e8-04-user-app-hardening/e8_04_wscript_cscript_execution.yml

E8-05 Restrict Administrative Privileges

3 techniques Rules

Maturity Levels

ML1 Admin accounts only used for admin tasks; no internet from admin accounts

ML2 Privileged Access Workstations; just-in-time admin; regular review

ML3 Admin activities logged and audited; breakglass accounts controlled

Mitigated ATT&CK Techniques

T1136.001

Create Local Account

Admin account creation requires admin rights — limited blast radius

T1550.002

Pass the Hash

Credential guard and restricted admin reduce PtH effectiveness

T1484

Domain Policy Modification

Restricting admin rights limits policy tampering

Detection Rules in This Repo

rules/e8-05-restrict-admin/e8_05_new_local_admin_account.yml rules/e8-05-restrict-admin/e8_05_pass_the_hash_ntlm_lateral_movement.yml

E8-06 Patch Operating Systems

3 techniques Rules

Maturity Levels

ML1 Patches within 1 month; critical within 48h for internet-facing

ML2 Patches within 2 weeks; critical within 48h all systems; no unsupported OS

ML3 Patches within 1 week; automated; all systems current

Mitigated ATT&CK Techniques

T1068

Exploitation for Privilege Escalation

Patched OS closes local privilege escalation CVEs

T1134

Access Token Manipulation

Many token abuse techniques depend on unpatched kernel features

T1210

Exploitation of Remote Services

Network-reachable OS vulnerabilities closed by patching

Detection Rules in This Repo

rules/e8-06-patch-os/e8_06_privilege_escalation_token_impersonation.yml

E8-07 Multi-Factor Authentication

3 techniques Rules

Maturity Levels

ML1 MFA for remote access and privileged accounts

ML2 MFA for all internet-facing services and privileged accounts

ML3 Phishing-resistant MFA (FIDO2/CBA) for all; no SMS

Mitigated ATT&CK Techniques

T1621

Multi-Factor Authentication Request Generation

MFA fatigue attacks exploit push-based MFA weaknesses

T1539

Steal Web Session Cookie

AiTM phishing proxies bypass MFA via token theft

T1078

Valid Accounts

Stolen credentials alone cannot authenticate without MFA

Detection Rules in This Repo

rules/e8-07-mfa/e8_07_mfa_fatigue_multiple_push_denied.yml

E8-08 Regular Backups

3 techniques Rules

Maturity Levels

ML1 Backups performed and stored; restoration tested

ML2 Backups not accessible from production; tested quarterly

ML3 Backups offline or immutable; tested every 12 months with incident response

Mitigated ATT&CK Techniques

T1490

Inhibit System Recovery

Immutable/offline backups survive VSS deletion attempts

T1486

Data Encrypted for Impact (Ransomware)

Recent backups enable recovery without paying ransom

T1485

Data Destruction

Backups provide recovery path for destructive attacks

Detection Rules in This Repo

rules/e8-08-backups/e8_08_shadow_copy_deletion.yml