DetectionHunter
back to roadmap
Phase 3·TA0002+TA0005+TA0003·Advanced

End-to-End ATT&CK Chain Correlation

Stitch multiple weak signals into one high-confidence chain alert.

#Wazuh#Correlation#ATT&CK

Detection Objective

Correlate Initial Access → Execution → Defense Evasion → Persistence within a window.

Real-World Attack Scenario

Phish → Office spawns PowerShell → AMSI bypass → Run key persistence — all within 10 minutes.

Why This Detection Matters

Single noisy signals become precise when chained.

ATT&CK Mapping

TA0002+TA0005+TA0003 · Multi
Tactic: Multi

Required Telemetry

  • WazuhRule correlation across decoders
Windows Event IDs
4104, 4698
Sysmon Event IDs
1, 3, 11, 13
Wazuh Log Source
All

Setup Steps

  1. Define Wazuh correlation rules with frequency/timeframe.

Safe Validation Command

Run the Phase 1 + 2 lab validators sequentially.
Run encodedcommand-abuse → office-spawns-powershell → powershell-persistence validators.
⚠ lab use only · this project does not execute real malware

Expected Log Output

Wazuh emits a parent correlated alert referencing child rule IDs.

Detection Logic (Wazuh rule concept)

If rule_ids ⊇ {office_powershell, encoded_command, persistence_write} within 600s on same agent → severity 13.

False Positives

  • Major IT change windows

Tuning Recommendations

  • Schedule allowlist windows.

Analyst Triage Notes

  • Open the correlated alert; review child evidence.

Detection Improvement Ideas

  • Auto-isolate host via Wazuh active response.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100723
End-to-End ATT&CK Chain Correlation
All
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
Run encodedcommand-abuse → office-spawns-powershell → powershell-persistence validators.
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Open the correlated alert; review child evidence.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • (no high-risk flags in this test)
    Signal value comes from context (parent, network, persistence) rather than flags.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Windows\explorer.exe
  • CommandLineArguments — where attacker intent shows up.
    Run encodedcommand-abuse → office-spawns-powershell → powershell-persistence validators.
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100723
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
End-to-End ATT&CK Chain Correlation
description
Phish → Office spawns PowerShell → AMSI bypass → Run key persistence — all within 10 minutes.
analyst takeaway
Single noisy signals become precise when chained. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
Run encodedcommand-abuse → office-spawns-powershell → powershell-persistence validators.
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100723 — "End-to-End ATT&CK Chain Correlation" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.