// mitre att&ck mapping

Coverage matrix

Every lab maps to a primary ATT&CK technique, the data sources it relies on, the tactic phase it interrupts, and an assessment of detection difficulty and signal value.

Lab	ATT&CK	Tactic	Data Sources	Difficulty	Signal
Detecting PowerShell EncodedCommand Abuse Phase 1	T1059.001	Execution	Windows Security, Sysmon, PowerShell	Easy	High
Detecting Invoke-Expression (IEX) Misuse Phase 1	T1059.001	Execution	PowerShell, Sysmon	Easy	High
Detecting DownloadString / Invoke-WebRequest Staging Phase 1	T1059.001	Execution	PowerShell, Sysmon	Easy	High
Detecting Hidden-Window PowerShell Phase 1	T1059.001	Execution	Sysmon	Easy	Medium
Detecting -ExecutionPolicy Bypass Phase 1	T1059.001	Execution	Sysmon	Easy	Medium
Detecting Office Applications Spawning PowerShell Phase 1	T1059.001	Execution	Sysmon	Easy	High
PowerShell + Outbound Network Correlation Phase 2	T1059.001	Execution	Sysmon	Moderate	High
PowerShell + Persistence Indicator Correlation Phase 2	T1059.001	Execution	Sysmon, Windows Security	Moderate	High
Suspicious Parent/Child Process Relationships Phase 2	T1059.001	Execution	Sysmon	Moderate	Medium
Office → Script Interpreter Execution Chains Phase 2	T1059.001	Execution	Sysmon	Moderate	High
Detecting AMSI Bypass Attempts Phase 3	T1562.001	Defense Evasion	PowerShell	Advanced	High
Detecting .NET Reflection Loading in PowerShell Phase 3	T1620	Defense Evasion	PowerShell	Advanced	High
Memory-Only PowerShell Execution Phase 3	T1059.001	Execution	PowerShell	Advanced	High
Obfuscation Scoring of PowerShell Script Blocks Phase 3	T1027	Defense Evasion	PowerShell	Advanced	Medium
Entropy Analysis on Decoded PowerShell Payloads Phase 3	T1027	Defense Evasion	PowerShell	Advanced	Medium
End-to-End ATT&CK Chain Correlation Phase 3	TA0002+TA0005+TA0003	Multi	Wazuh	Advanced	High

Primary technique

T1059.001 — Command and Scripting Interpreter: PowerShell

Related techniques

T1027, T1562.001, T1620, T1547, T1053

Tactics interrupted

Execution, Defense Evasion, Persistence, Privilege Escalation