This document provides a detailed analysis of current endpoint detection gaps across Windows, macOS, and Linux environments. It outlines missing coverage for critical attack techniques, including lateral movement, defense evasion, credential access, and persistence mechanisms, mapped directly to the MITRE ATT&CK framework.
While our current rule sets provide strong coverage for Active Directory attacks (DCShadow, DCSync, Certificate Services) and baseline Linux kernel security, we currently have zero coverage for LOLBINs, Kerberos attacks, reverse shells, and specific lateral movement frameworks. Immediate remediation is required.
Threat Detection Architecture Gaps
The following diagram illustrates where our current detection gaps align with the standard attack lifecycle:
Windows Detection Gaps
Current Status: 28 Active Rules | Identified Gaps: 25
Our Windows environment lacks critical visibility into native binary abuse (Living off the Land) and advanced credential theft. The gaps are categorized by priority based on real-world exploitation frequency.
Critical Priority
These represent the most frequently exploited attack techniques in enterprise Windows compromises. Deploying detections for these is the highest priority.
High Priority
Medium Priority
macOS & Linux Detection Gaps
Current Status: ~85 Active Rules | Identified Gaps: ~50
While our Linux rules cover auditd events, systemd, and package management well, we have significant blind spots regarding reverse shells, webshell activity, and macOS-specific persistence mechanisms.
macOS environments are increasingly targeted by infostealers and APTs. The lack of coverage for osascript abuse and Keychain dumping leaves developer endpoints highly vulnerable.
macOS-Specific Gaps
Linux Gaps (Highlights)
Capability Escalation (T1548): Missing detection for
setcap cap_setuidon binaries, a common privilege escalation vector.Ngrok Tunnel Communication (T1572, T1090): Lack of network connection monitoring for
tunnel.*.ngrok.com, heavily abused for bypassing ingress firewalls.Malware Callback Ports (T1571): No alerting on outbound connections to known C2 ports (e.g., 4444, 6789, 8531) targeting non-private IPs.
Remediation Workflow
To close these visibility gaps, follow this deployment pipeline for integrating the missing Sigma rules into your SIEM/EDR:
Pull the latest rules from the SigmaHQ repository corresponding to the gaps identified above. Focus first on the Critical Priority Windows rules.
Use sigma-cli to translate the YAML rules into your specific backend query language (e.g., Splunk SPL, Elastic KQL, CrowdStrike FQL).
sigma-cli translate -t splunk -p sysmon rules/windows/builtin/security/win_security_kerberoasting_activity.ymlDeploy the translated queries in a staging environment. Run atomic red team tests (e.g., Invoke-Kerberoast) to validate that the telemetry is being captured and the alert fires.
Analyze the staging alerts for false positives (especially for LOLBINs like certutil which may have legitimate administrative uses). Apply necessary exclusions before pushing to production.
Frequently Asked Questions
Living off the Land Binaries (LOLBINs) like certutil.exe and mshta.exe are already present on the OS and signed by Microsoft. Attackers use them to bypass application allowlisting (AppLocker) and evade traditional signature-based antivirus, making behavioral detection via SIEM/EDR essential.
Monitoring ProcessAccess (Sysmon Event ID 10) can be noisy and resource-intensive. It is recommended to filter out known good processes (like authorized backup software or EDR agents) at the endpoint level before forwarding the logs to the SIEM.
For Linux/macOS environments where developers legitimately use Ngrok, create an exclusion list based on the parent process (e.g., allowing Ngrok if spawned by a specific development IDE) or restrict Ngrok usage to a dedicated subnet.