What You'll Learn
- Open and navigate the MITRE ATT&CK Navigator
- Analyze an APT29 attack report and extract 15 TTPs
- Map techniques to the ATT&CK Enterprise matrix
- Color-code techniques by detection capability (green / yellow / red)
- Export a Navigator layer and write a 1-page gap analysis
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | Browser-Only |
| Tool | MITRE ATT&CK Navigator |
| Estimated Time | 45–60 minutes |
| Difficulty | Beginner |
| Browser Access | Opens external tool in a new tab |
| Pre-Loaded Data | APT29 attack report provided below |
| Deliverable | Exported Navigator JSON layer + gap analysis |
No Cloud Lab Required. This is a browser-only exercise — you'll work entirely in the free MITRE ATT&CK Navigator web app. There's nothing to start or wait for. Click the link in Part 1 and you're in.
Part 1: Open the ATT&CK Navigator
The ATT&CK Navigator is a free web tool from MITRE that lets you visualize, annotate, and color-code the ATT&CK matrix. SOC teams use it to map threat intelligence to their detection coverage.
Step 1: Launch the Navigator
Open the MITRE ATT&CK Navigator in a new tab:
https://mitre-attack.github.io/attack-navigator/
Once it loads, click "Create New Layer" and select "Enterprise". This gives you the full ATT&CK Enterprise matrix — the same matrix used by SOC teams, red teams, and threat intel analysts worldwide.
Step 2: Name Your Layer
At the top of the Navigator, find the layer tab (it will say something like "layer"). Click it and rename it to:
APT29 Detection Coverage
Take a moment to orient yourself. Each column is a tactic (Initial Access, Execution, Persistence, etc.) and each cell is a technique. You can scroll horizontally to see all 14 tactics. Sub-techniques are hidden by default — click the small arrow on a technique to expand them.
Navigator Shortcuts. Use the search bar (magnifying glass icon) to jump directly to a technique by ID or name. Use Ctrl+click to select multiple techniques. The color palette and scoring features are in the toolbar at the top.
Part 2: Read the Attack Report
Below is a simplified but realistic intelligence report describing an APT29 campaign. APT29 (also known as Cozy Bear) is a Russian state-sponsored threat group attributed to the SVR. They are known for sophisticated, long-duration intrusions targeting government, healthcare, and technology sectors.
Read the entire report carefully. Your goal is to identify every technique used, find its ATT&CK ID, and add it to your tracking table.
Intelligence Report — "Operation Midnight Eclipse"
Classification: TLP:GREEN — May be shared within the cybersecurity community
Date: January 2026
Attribution: APT29 / Cozy Bear (High Confidence)
Target: European government ministry responsible for energy policy
Executive Summary. In late January 2026, APT29 conducted a targeted intrusion against a European government ministry. The campaign began with spearphishing emails sent to three senior policy advisors. The emails contained Word documents with embedded macros that, when enabled, executed a PowerShell downloader. The operation progressed through credential theft, lateral movement, and ultimately data exfiltration over a 72-hour window before detection.
Initial Compromise. The attack began with spearphishing emails containing malicious attachments (T1566.001). The Word documents were themed as "EU Energy Policy Draft — Urgent Review Required." When recipients enabled macros, the embedded VBA code launched a PowerShell (T1059.001) script that downloaded a second-stage payload from a compromised WordPress site.
Establishing Foothold. The PowerShell script also used Windows Management Instrumentation (WMI) (T1047) to execute commands remotely on the infected host, querying system information and establishing persistence. Two persistence mechanisms were deployed: a scheduled task (T1053.005) configured to run the payload every 4 hours, and a Registry Run Key (T1547.001) to survive reboots.
Evading Detection. The second-stage payload was heavily obfuscated (T1027) — variable names were randomized, strings were Base64-encoded, and control flow was flattened. To execute in-memory without touching disk, the attacker used DLL injection (T1055.001) to inject their code into a legitimate svchost.exe process.
Credential Theft. Once established, the attacker used a modified version of Mimikatz to dump credentials from LSASS memory (T1003.001). This yielded domain administrator credentials, which opened access to the entire internal network.
Reconnaissance and Lateral Movement. Using the stolen credentials, the attacker performed domain account discovery (T1087.002) to identify high-value targets and system network configuration discovery (T1016) to map the internal network topology. They moved laterally using SMB/Windows Admin Shares (T1021.002), accessing file servers containing classified energy policy documents.
Data Collection and Exfiltration. The attacker archived collected data (T1560.001) into password-protected ZIP files. Command and control was maintained over HTTPS web protocols (T1071.001), blending with normal web traffic. Additional tools were brought in via ingress tool transfer (T1105). Finally, the archived data was exfiltrated over the existing C2 channel (T1041), totaling approximately 4.7 GB of documents over 48 hours.
Detection Timeline. The intrusion was detected 72 hours after initial access when the ministry's EDR flagged an anomalous svchost.exe process making outbound HTTPS connections to a known-bad IP address.
This Report Is Fictional. "Operation Midnight Eclipse" is a training scenario designed for this lab. However, every technique used is a real APT29 TTP documented by MITRE, Mandiant, and CrowdStrike in public threat intelligence reports.
Step 3: Build Your TTP Tracking Table
As you read the report, extract each technique into this table. You should find 15 techniques across 8 tactics:
| # | Tactic | Technique | ATT&CK ID | Report Section |
|---|---|---|---|---|
| 1 | Initial Access | Spearphishing Attachment | T1566.001 | Initial Compromise |
| 2 | Execution | PowerShell | T1059.001 | Initial Compromise |
| 3 | Execution | Windows Management Instrumentation | T1047 | Establishing Foothold |
| 4 | Persistence | Scheduled Task | T1053.005 | Establishing Foothold |
| 5 | Persistence | Registry Run Keys | T1547.001 | Establishing Foothold |
| 6 | Defense Evasion | Obfuscated Files or Information | T1027 | Evading Detection |
| 7 | Defense Evasion | Process Injection: DLL Injection | T1055.001 | Evading Detection |
| 8 | Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | Credential Theft |
| 9 | Discovery | Domain Account Discovery | T1087.002 | Recon & Lateral Movement |
| 10 | Discovery | System Network Config Discovery | T1016 | Recon & Lateral Movement |
| 11 | Lateral Movement | SMB/Windows Admin Shares | T1021.002 | Recon & Lateral Movement |
| 12 | Collection | Archive Collected Data | T1560.001 | Data Collection & Exfil |
| 13 | Command and Control | Web Protocols | T1071.001 | Data Collection & Exfil |
| 14 | Command and Control | Ingress Tool Transfer | T1105 | Data Collection & Exfil |
| 15 | Exfiltration | Exfiltration Over C2 Channel | T1041 | Data Collection & Exfil |
Why 15? Real threat intelligence reports often contain dozens of techniques, but for your first mapping exercise we're keeping it focused. Once you're comfortable mapping 15, scaling to 50+ is just more of the same process.
Part 3: Map and Color-Code in the Navigator
Now comes the core skill: translating written intelligence into a visual ATT&CK layer. This is exactly what threat intelligence analysts do when a new campaign report drops.
Step 4: Select Each Technique
For each of the 15 techniques in your tracking table:
- Use the search bar (magnifying glass) in the Navigator toolbar
- Type the technique ID (e.g.,
T1566.001) - Click the technique in the search results to highlight it
- The technique cell will become selected (highlighted with a border)
Repeat for all 15 techniques. When done, you should see 15 cells highlighted across the matrix.
Step 5: Apply Detection-Based Color Coding
This is where you connect Lab 1.1 to Lab 1.2. Based on what you learned about Wazuh's capabilities, color-code each technique using this scheme:
| Color | Score | Meaning | Criteria |
|---|---|---|---|
| Green (#00ff00) | 3 | Detected — Wazuh has a rule that fires for this | You saw this alert type in Lab 1.1 |
| Yellow (#ffff00) | 2 | Partial — Wazuh can detect if properly configured | Requires specific log sources or custom rules |
| Red (#ff0000) | 1 | Gap — Wazuh cannot detect this without additional tools | Needs EDR, network monitoring, or other tooling |
To apply colors in the Navigator:
- Click a technique to select it
- In the right-side panel, find the "score" field
- Enter the score (1, 2, or 3)
- In the technique controls, set the background color to match the scheme above
Step 6: Complete the Detection Assessment Table
For each technique, assess detection capability and fill in this table:
| # | Technique (ID) | Color | Detection Rationale | Evidence from Lab 1.1 |
|---|---|---|---|---|
| 1 | Spearphishing Attachment (T1566.001) | Yellow | Wazuh can detect if email logs are forwarded | Not seen in Lab 1.1 alerts |
| 2 | PowerShell (T1059.001) | Yellow | Requires PowerShell script block logging (Event ID 4104) | Partial — depends on agent config |
| 3 | WMI (T1047) | Yellow | Detectable with Sysmon + Wazuh rules | Not default detection |
| 4 | Scheduled Task (T1053.005) | Green | Wazuh detects new scheduled tasks | Similar to "new service" alerts in Lab 1.1 |
| 5 | Registry Run Keys (T1547.001) | Green | Wazuh FIM monitors registry changes | File integrity alerts in Lab 1.1 |
| 6 | Obfuscated Files (T1027) | Red | Requires YARA or deep content inspection | Beyond Wazuh default rules |
| 7 | DLL Injection (T1055.001) | Red | Requires EDR with memory analysis | No Wazuh coverage |
| 8 | LSASS Dump (T1003.001) | Red | Requires EDR (credential guard, Sysmon rule 10) | No Wazuh coverage |
| 9 | Domain Account Discovery (T1087.002) | Green | Wazuh logs Windows Security events (4661, 4662) | Auth events in Lab 1.1 |
| 10 | Network Config Discovery (T1016) | Yellow | Requires command-line audit logging | Not default detection |
| 11 | SMB Admin Shares (T1021.002) | Yellow | Detectable via Windows logon events (4624 type 3) | Related to auth alerts in Lab 1.1 |
| 12 | Archive Data (T1560.001) | Red | Requires endpoint monitoring for compression tools | No Wazuh coverage |
| 13 | Web Protocols C2 (T1071.001) | Red | Requires network monitoring (Suricata/Zeek) | No Wazuh network capability |
| 14 | Ingress Tool Transfer (T1105) | Red | Requires network monitoring or EDR | No Wazuh coverage |
| 15 | Exfil Over C2 (T1041) | Red | Requires network traffic analysis | No Wazuh coverage |
Summary: 3 Green, 5 Yellow, 7 Red — Wazuh alone covers only 20% of this APT29 campaign with high confidence.
This Is Normal. No single tool covers every technique. The purpose of ATT&CK mapping isn't to achieve 100% green — it's to identify the gaps so you know what to build next. In the coming modules, you'll add Suricata (network), YARA (file analysis), and Velociraptor (endpoint forensics) to close these exact gaps.
Part 4: Export and Analyze
Step 7: Export Your Navigator Layer
- In the Navigator toolbar, click the download icon (or go to the layer tab menu)
- Select "Download Layer as JSON"
- Save the file as
apt29-detection-coverage.json
This JSON file is your deliverable — it contains every technique you mapped, your color-coding, and scores. In a real SOC, these layers get shared across the team and updated as detection coverage improves.
Step 8: Write Your Gap Analysis
Using your Detection Assessment Table, write a brief (1-page) analysis answering these three questions:
Question 1: Which tactics have the strongest detection coverage?
Look at your green and yellow techniques. Which parts of the kill chain does Wazuh handle well? Think about what those tactics have in common.
Question 2: Where are the biggest gaps?
Look at your red techniques. Notice a pattern? Which stages of the attack are hardest to detect with Wazuh alone? What do those stages require that Wazuh doesn't provide?
Question 3: What tools would close the top 3 gaps?
For the three most critical detection gaps, recommend a specific tool or capability:
| Gap | Recommended Tool | Why |
|---|---|---|
| Memory-based attacks (DLL injection, LSASS dump) | EDR (Velociraptor, CrowdStrike, Elastic Agent) | Monitors process behavior, memory access, and API calls |
| Network C2 / Exfiltration | Network IDS (Suricata, Zeek) | Inspects network traffic for malicious patterns and anomalies |
| Obfuscated payloads | File Analysis (YARA rules, sandboxing) | Scans file contents against known malware signatures and behaviors |
Connecting the Roadmap. These three tool recommendations map directly to your upcoming modules: Suricata in Module 3, YARA in Module 4, and Velociraptor in Module 5. You've just created your own learning roadmap based on real detection gaps.
Deliverables Checklist
Before marking this lab complete, verify you have:
- TTP Tracking Table — All 15 techniques identified with ATT&CK IDs and report sections
- Navigator Layer — 15 techniques selected, color-coded (green/yellow/red), and scored
- Detection Assessment Table — Each technique assessed with rationale and Lab 1.1 evidence
- Exported JSON — Navigator layer saved as
apt29-detection-coverage.json - Gap Analysis — 1-page writeup answering the 3 analysis questions with tool recommendations
Key Takeaways
- The ATT&CK Navigator is the standard tool for visualizing threat coverage across the MITRE matrix
- Mapping intelligence reports to ATT&CK turns narrative descriptions into structured, actionable data
- Color-coding by detection capability reveals where your security stack has blind spots
- Wazuh provides strong host-based detection but has gaps in memory analysis, network monitoring, and file content inspection
- A layered defense strategy requires multiple tools — no single SIEM covers every technique
- Gap analysis drives security investment decisions: the biggest red areas should be your next priority
What's Next
In Lab 1.3 — Log Source Identification, you'll shift from "what can we detect?" to "what data do we need?" You'll catalog every log source in a simulated enterprise network, map each source to the ATT&CK techniques it can support, and build a Log Source Matrix that becomes the foundation for your detection engineering work in Module 2.
Lab Challenge: ATT&CK Mapping
10 questions · 70% to pass
How many total ATT&CK techniques did you extract from the APT29 'Operation Midnight Eclipse' report?
In the APT29 report, what ATT&CK technique describes the initial compromise method — malicious Word documents sent via email?
After completing your color-coded detection assessment, how many techniques were marked Red (Gap — Wazuh cannot detect without additional tools)?
How many techniques were marked Green (Detected — Wazuh has a rule that covers this)?
What technique did APT29 use to steal domain administrator credentials from memory?
APT29 injected their payload into a legitimate Windows process to evade detection. Which process did they target, and what technique ID is this?
In your gap analysis, what tool category did you recommend to close the gap for memory-based attacks like DLL injection and LSASS credential dumping?
How long did the APT29 intrusion last before detection, and what triggered the discovery?
APT29 used two different persistence mechanisms. What are they?
How much data did APT29 exfiltrate, and what technique did they use for C2 communication to blend with normal traffic?
0/10 answered