15 Gold-Standard Detection Dashboards Mapped to MITRE ATT&CK with SPLUNK ENTERPRISE (Step-by-Step Guide Detailed Explaination)

ratikraj01 -
March 30, 2026
linux, code, coding, program, computer, space, programming, source, dos, matrix, hacking, green computer, green laptop, green code, green coding, green programming, linux, linux, linux, linux, linux
Uncategorized

INTRODUCTION

In this guide, I will walk you through how I built my SOC L3 home lab using Splunk and created 15 enterprise-grade detection dashboards mapped to MITRE ATT&CK.

Each dashboard represents a real-world attack technique used by adversaries and detected using Windows Security logs.

This project helped me:

  • Understand attacker behavior
  • Build detection engineering skills
  • Create executive-level dashboards
  • Prepare for SOC L3 roles in enterprise environments

LAB SETUP

  • SIEM: Splunk Enterprise
  • Dataset: Botsv3
  • Log Source: Windows Event Logs
  • Primary Event Code: 4688 (Process Creation)

EventCode 4688 is the most important log in SOC because it shows process execution.

CORE CONCEPTS

Before starting:

  • Parent Process = Process that launched another process
  • Child Process = New process created
  • Command Line = Actual command used (most important field)
  • MITRE ATT&CK = Standard framework to map attacker behavior

HOW TO BUILD EACH DASHBOARD

  1. Run SPL query in Splunk
  2. Check results in Statistics tab
  3. Click β€œSave As β†’ Dashboard Panel”
  4. Choose Dashboard Studio β†’ Grid Layout
  5. Add title + description
  6. Select Table visualization
  7. Save

πŸš€ DETECTIONS (ALL 15)

1. Suspicious Rundll32 Execution β€” MITRE T1218.011

SPL Query:

index=botsv3 sourcetype=”WinEventLog:Security” EventCode=4688
| eval parent=lower(Parent_Process_Name), child=lower(New_Process_Name)
| where parent=”svchost.exe” AND child=”rundll32.exe”

What it detects:

Detects abuse of rundll32.exe, a trusted Windows binary used to execute malicious DLLs.

Why important:

Used in fileless attacks and defense evasion.

2. PowerShell Abuse β€” MITRE T1059.001

SPL Query:

index=botsv3 EventCode=4688
| search New_Process_Name=”powershell

What it detects:

Suspicious PowerShell execution.

Why important:

PowerShell is used in almost every modern attack.

3. Scheduled Task Persistence β€” MITRE T1053.005

SPL Query:

index=botsv3 EventCode=4688
| search schtasks

What it detects:

Creation of scheduled tasks for persistence.

4. WMI Execution β€” MITRE T1047

SPL Query:

index=botsv3 EventCode=4688
| search wmic

What it detects:

Remote execution using WMI.

5. Process Injection Indicators β€” MITRE T1055

SPL Query:

index=botsv3 EventCode=4688
| search powershell OR rundll32 OR regsvr32

What it detects:

Processes commonly used in injection techniques.

6. Mshta Abuse β€” MITRE T1218.005

SPL Query:

index=botsv3 EventCode=4688
| search mshta

What it detects:

Execution of scripts using mshta.exe.

7. Command Shell Execution β€” MITRE T1059.003

SPL Query:

index=botsv3 EventCode=4688
| search cmd.exe

What it detects:

Command shell usage.

8. Registry Run Key Persistence β€” MITRE T1547.001

SPL Query:

index=botsv3 EventCode=4657
| search run

What it detects:

Persistence via registry run keys.

9. Regsvr32 Abuse β€” MITRE T1218.010

SPL Query:

index=botsv3 EventCode=4688
| search regsvr32

What it detects:

Script execution using regsvr32.

10. WMI Remote Execution β€” MITRE T1047

SPL Query:

index=botsv3 EventCode=4688
| search “process call create”

What it detects:

Remote command execution via WMI.

11. Startup Folder Persistence β€” MITRE T1547.001

SPL Query:

index=botsv3 EventCode=4663
| search startup

What it detects:

Files placed in startup folder for persistence.

12. Disable Security Tools β€” MITRE T1562.001

SPL Query:

index=botsv3 EventCode=4688
| search sc.exe

What it detects:

Stopping or disabling security services.

13. Lateral Movement β€” MITRE T1021

SPL Query:

index=botsv3 EventCode=4688
| search “\\”

What it detects:

Remote access and lateral movement.

14. Phishing / Initial Access β€” MITRE T1566

SPL Query:

index=botsv3 EventCode=4688
| search outlook OR winword OR excel

What it detects:

Office apps spawning suspicious processes.

15. Log Clearing β€” MITRE T1070

SPL Query:

index=botsv3 EventCode=4688
| search wevtutil

What it detects:

Clearing logs to hide activity.

πŸ“Š DASHBOARD STRUCTURE

Dashboard Name:

SOC L3 – Windows Attack Technique Detections

Each panel follows:

<number>. SOC L3 – Windows Attack Technique Detections β€” MITRE TXXXX

Visualization: Table
Layout: Grid

FINAL CONCLUSION

This lab is not about memorizing SPL queries.

It is about:

  • Understanding attacker behavior
  • Detecting patterns in logs
  • Mapping activity to MITRE ATT&CK
  • Building dashboards for real-world SOC environments

These 15 detections represent core SOC L3 capabilities used in enterprise security teams.

#No Tag

Comments are closed