How to Read a MITRE ATT&CK Technique Page and Write a Detection Rule From It

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
MITRE ATT&CK is the most comprehensive publicly available reference for adversary behavior, and most security teams know they should be using it for detection. The gap is that the technique pages are organized for threat intelligence analysts, not detection engineers: the information you need to write a rule is there, but it is not labeled 'use this for your SPL query.'
This guide maps each section of an ATT&CK technique page to its detection engineering equivalent, then applies that map to write a complete detection rule for T1053.005 (Scheduled Task/Job: Scheduled Task), one of the most commonly abused persistence techniques in ransomware and APT campaigns.
The ATT&CK Page Sections That Matter for Detection
An ATT&CK technique page has approximately 8 sections. Four are directly useful for detection rule writing.
Section 1: Description (read for behavior, not for rule logic) The description tells you what the attacker is doing and why. It is written in threat intel language, not detection language. Read it to understand the behavior, then translate: 'what observable event does this create on the endpoint or in a log?'
For T1053.005: 'Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.' The detection question becomes: what Windows events are generated when a scheduled task is created, modified, or executed?
Section 2: Sub-techniques (choose one to start) ATT&CK breaks broad techniques into sub-techniques for specificity. Detection rules should target sub-techniques, not parent techniques: the parent is too broad to produce useful queries. T1053 (Scheduled Task/Job) has five sub-techniques. T1053.005 (Windows Scheduled Task) is the most relevant for Windows environments.
Section 3: Procedure Examples (your ground truth for what real attacks look like) This is the most valuable detection engineering section. Procedure examples show specific tools, commands, and methods that real threat actors have used for this technique in confirmed campaigns. These are your tuning examples: they tell you what malicious execution looks like versus the benign equivalent.
For T1053.005, procedure examples include:
- APT29 using
schtasks /createwith randomized task names and encoded PowerShell commands - FIN7 creating scheduled tasks via
at.exe(legacy) - Ransomware groups creating tasks in
C:\Windows\System32\Taskswith executable paths pointing to%TEMP%
Section 4: Detection (your rule starting point) The Detection section explicitly recommends data sources and observable behaviors. It does not give you a complete SIEM query, but it identifies: what to collect, what fields to examine, and which values distinguish malicious from benign.
For T1053.005, the detection section recommends:
- Monitor Windows Event ID 4698 (a scheduled task was created)
- Examine the task XML for suspicious executable paths, encoded arguments, and unusual authors
- Monitor
C:\Windows\System32\TasksandC:\Windows\SysWOW64\Tasksfor new file creation
The Three-Question Translation
Once you have read the four relevant sections, translate the technique into detection rule components by answering three questions:
Question 1: What is the observable event? Not 'the attacker creates a scheduled task': the behavior you can detect as a data point. In log terms: what Event ID, what log file, what system call, what file modification?
For T1053.005: Windows Security Event ID 4698 (Scheduled task created), with the task XML in the event data.
Question 2: What data source captures it? Which log source must be enabled and forwarding to your SIEM for this detection to work?
For T1053.005: Windows Security audit log (requires 'Audit Other Object Access Events' policy to be enabled). File system monitoring on C:\Windows\System32\Tasks via Sysmon Event ID 11 (file created) as a supplementary source.
Question 3: What distinguishes malicious from benign? This is the tuning question. Hundreds of legitimate applications create scheduled tasks. Your rule needs to alert on malicious task creation without generating noise from software updaters, backup agents, and Windows itself.
For T1053.005, the distinguishing characteristics from real attacker campaigns:
- Task executable path in
%TEMP%,%APPDATA%,%PUBLIC%, orC:\Usersdirectories (benign tasks almost always run fromC:\Windows,C:\Program Files, orC:\Program Files (x86)) - Encoded base64 in the task command arguments
- Task author is
Noneor a non-standard string - Task created by a user account rather than SYSTEM or a software installer
- Randomized 8-16 character task name (attacker-generated names lack the product branding of legitimate task names)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Worked Example: T1053.005 Detection Rule
Splunk SPL:
index=windows EventCode=4698
| rex field=_raw "<Command>(?P<command>[^<]+)</Command>"
| rex field=_raw "<Author>(?P<author>[^<]+)</Author>"
| rex field=_raw "<TaskName>(?P<taskname>[^<]+)</TaskName>"
| where (
match(lower(command), "\\(temp|appdata|public|users\\\\[^\\\\]+\\\\)")
OR match(command, "[A-Za-z0-9+/]{20,}={0,2}")
OR isnull(author) OR author=""
)
| table _time, host, user, taskname, command, author
| sort -_time
This query:
- Filters for Event ID 4698 (scheduled task created)
- Extracts the command, author, and task name from the raw event XML
- Alerts when the command path is in a user-writable directory, contains base64-encoded content, or has no author field
Microsoft Sentinel KQL:
SecurityEvent
| where EventID == 4698
| extend TaskXml = tostring(EventData)
| extend Command = extract(@"<Command>([^<]+)</Command>", 1, TaskXml)
| extend Author = extract(@"<Author>([^<]+)</Author>", 1, TaskXml)
| extend TaskName = extract(@"<TaskName>([^<]+)</TaskName>", 1, TaskXml)
| where Command has_any ("\\Temp\\", "\\AppData\\", "\\Public\\")
or Command matches regex @"[A-Za-z0-9+/]{20,}={0,2}"
or isempty(Author)
| project TimeGenerated, Computer, Account, TaskName, Command, Author
| sort by TimeGenerated desc
Sigma rule (portable across SIEM platforms):
title: Suspicious Scheduled Task Creation - Temp/AppData Path or Encoded Command
id: a8b5f7c2-3d4e-5f6a-7b8c-9d0e1f2a3b4c
status: test
description: Detects scheduled task creation with command paths in user-writable directories or base64-encoded arguments
references:
- https://attack.mitre.org/techniques/T1053/005/
tags:
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
detection:
selection:
EventID: 4698
filter_paths:
CommandPath|contains:
- '\Temp\'
- '\AppData\'
- '\Public\'
filter_encoded:
CommandArgs|re: '[A-Za-z0-9+/]{20,}={0,2}'
condition: selection and (filter_paths or filter_encoded)
falsepositives:
- Legitimate software installers that temporarily place executables in Temp during installation
level: high
Tuning Against False Positives
After deploying the rule, run it against 30 days of historical data before enabling live alerting. Any results that are known-good software create your exclusion list.
Common legitimate false positives for T1053.005:
- Windows Defender definition updates (creates tasks with encoded update paths)
- Adobe Creative Cloud updater (creates tasks in AppData)
- Browser auto-update tasks (Chrome, Firefox)
- Corporate software deployment agents (SCCM, Intune)
Exclude these by hash (most stable), or by executable path AND signing certificate (for software that updates its hash frequently). Never exclude by task name alone: attackers copy legitimate task names to blend in.
The Sigma approach: If you write the rule in Sigma format, it is portable across SIEM platforms: the same rule generates Splunk SPL, Elastic DSL, or KQL through the sigma-cli converter. This is the recommended format for rules you want to maintain across a team or share with the community.
Next steps after this technique: Once T1053.005 is deployed and tuned, repeat the process for the next highest-priority technique in your threat model. Most organizations following this methodology work through ATT&CK's top 20 most commonly exploited techniques before moving to more obscure sub-techniques. The CISA Top Routinely Exploited Techniques advisory is the best starting point for prioritizing which techniques to address first.
The bottom line
A MITRE ATT&CK technique page contains all the information you need to write a detection rule: the Description tells you the behavior, the Procedure Examples show what real attacks look like, and the Detection section identifies the log source and observable fields. Convert these into a detection rule by answering three questions: what is the observable event, what data source captures it, and what distinguishes malicious from benign. Validate with 30 days of historical data before enabling live alerting. Write in Sigma format for portability.
Frequently asked questions
How do I use MITRE ATT&CK to write SIEM detection rules?
Read four sections of the technique page: the Description (to understand the behavior), the Sub-techniques (to narrow scope), the Procedure Examples (to see what real attacker executions look like), and the Detection section (to identify the data source and observable fields). Convert these into rule logic by identifying the observable event, the log source that captures it, and the field values that distinguish malicious from benign execution.
What is the best MITRE ATT&CK technique to start with for detection?
Start with the techniques most commonly exploited against your industry according to CISA advisories. T1059.001 (PowerShell), T1053.005 (Scheduled Task), T1003.001 (LSASS credential dumping), and T1021.001 (Remote Desktop) appear in the majority of ransomware and APT campaigns across all sectors: these four cover a disproportionate share of real-world attacker behavior.
How do I validate that my MITRE ATT&CK detection rules actually work?
Validate detection rules by running the atomic tests from Atomic Red Team (atomicredteam.io) for the specific technique your rule targets. Each ATT&CK technique has one or more atomic tests that execute the technique in a controlled way on a test endpoint. Confirm the expected event was generated in your log source, the rule fired in your SIEM, and the alert reached the analyst queue. Do this before enabling a rule in production, not after. False validation (the rule fires but on different data than expected) is a common problem when testing in isolation rather than end-to-end.
What is the difference between MITRE ATT&CK tactics and techniques?
Tactics are the adversary's goals at each phase of an attack: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Techniques are specific methods used to achieve a tactic. T1059 (Command and Scripting Interpreter) is a technique under the Execution tactic. Sub-techniques like T1059.001 (PowerShell) are specific implementations. Detection rules are written at the sub-technique level; threat hunt hypotheses are organized at the tactic level.
How do I write a Sigma detection rule from a MITRE ATT&CK technique?
A Sigma rule has four required sections: title, logsource (defines which log type the rule applies to, such as windows security or sysmon), detection (the field-value conditions that trigger the rule), and condition (the logical combination of detection conditions). From an ATT&CK technique page, map the Detection section's recommended log source to the Sigma logsource category, then translate the distinguishing indicators (suspicious paths, encoded arguments, unusual parent processes) into Sigma field conditions. Use the technique's Procedure Examples to write test cases that should match the rule. Validate with sigma-cli against historical logs before deployment.
How do I prioritize which MITRE ATT&CK techniques to build detection rules for first?
Start with the techniques that appear most frequently in real-world attacks against organizations similar to yours, rather than trying to cover all 740 techniques uniformly. Three inputs should guide your prioritization. First, consult CISA advisories and joint cybersecurity advisories for your industry sector: these explicitly name the techniques being used by active threat actors targeting your industry, giving you a threat-informed starting point. Second, review the MITRE ATT&CK Groups pages for threat actor groups known to target your sector. Each group page lists the specific techniques they have been observed using across confirmed campaigns: this translates directly into a prioritized technique list for your detection backlog. Third, assess your current coverage gaps honestly by mapping your existing SIEM rules to ATT&CK technique IDs and building a heatmap of covered versus uncovered techniques. Techniques in the Execution, Persistence, and Credential Access tactic categories appear in nearly every ransomware and APT campaign and should be covered before more specialized techniques. Within those categories, the sub-techniques most commonly observed in 2025 incidents include T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1053.005 (Scheduled Task), T1003.001 (LSASS memory), T1021.001 (Remote Desktop), and T1078 (Valid Accounts). Building confident coverage across these six sub-techniques provides more practical detection value than shallow coverage across fifty less-frequently-exploited techniques.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
