Analysis of over one million malware samples by Picus Security in 2025 revealed that 93% of all malicious activity maps to just 10 ATT&CK techniques. Adversaries do not invent novel approaches for most operations — they reuse a concentrated set of behaviors. Defenders who understand those techniques at the sub-technique level, map the required telemetry to detect them, and validate detections against adversary execution paths close the gaps that compliance frameworks never surface.

The Concentration Pattern

ATT&CK v18 catalogs over 200 enterprise techniques across 15 tactics. That scale is useful for comprehensive mapping, but it obscures a practical reality: adversary behavior concentrates heavily in a small number of techniques. The Picus Red Report 2025, analyzing 14 million malicious actions across one million samples, quantified this concentration.

Rank Technique Name Prevalence Trend (2024→2025)
1 T1055 Process Injection Stable — remains #1
2 T1059 Command and Scripting Interpreter Stable
3 T1082 System Information Discovery Stable
4 T1083 File and Directory Discovery Rising
5 T1555 Credentials from Password Stores +3X surge (8%→25%)
6 T1071 Application Layer Protocol Rising with C2 diversification
7 T1566 Phishing Stable but shift to AI-generated lures
8 T1078 Valid Accounts +35% of cloud incidents
9 T1105 Ingress Tool Transfer Stable
10 T1053 Scheduled Task/Job Rising with LotL persistence

The data makes one structural point clear: breadth across all 200 techniques is less important than depth against these 10. A coverage map that shows 100% on T1055, T1059, T1078, and T1555 prevents more real incidents than one that claims 60% coverage across every technique in the matrix.

Technique Deep-Dives: What Defenders Need to Know

Each of these techniques operates differently. Understanding the mechanics, sub-techniques, and common adversary variations is what separates a checkmark on a coverage spreadsheet from a detection that actually fires in production.

T1055 — Process Injection

Process injection remains the most prevalent technique across all malware families. It allows adversaries to execute code within the address space of another process, evading detection and bypassing security controls. ATT&CK catalogs nine sub-techniques under T1055, and the distribution matters for detection engineering:

  • T1055.001 DLL Injection — Loads a malicious DLL into a target process. Detectable via DLL load events with anomalous paths or unsigned publishers.
  • T1055.003 Thread Execution Hijacking — Suspends a thread, modifies its instruction pointer, and resumes execution. Requires memory access telemetry (e.g., Sysmon Event ID 10, ProcessTampering events).
  • T1055.012 Process Hollowing — Creates a process in suspended state, unmaps its memory, writes malicious code, and resumes. The process image on disk is legitimate; only the in-memory content is malicious. This is the hardest sub-technique to detect reliably.

Detection requires process creation and modification telemetry. The minimum viable log sources are Sysmon Event IDs 1 (process creation), 7 (image loaded), and 10 (process access). Without Sysmon or an equivalent ETW-based process telemetry collector, T1055 coverage is effectively zero regardless of what detection rules exist.

T1555 — Credentials from Password Stores

This technique saw the largest year-over-year surge in the Picus dataset: from 8% of analyzed samples in 2024 to 25% in 2025. Adversaries are extracting credentials from browser-stored passwords, credential managers, and keychains at unprecedented rates. The shift reflects two converging trends: the proliferation of browser-managed credentials in enterprise environments and the availability of offensive tooling (LaZagne, HackBrowserData, SharpChromium) that automates extraction across all major browsers.

Sub-techniques of note include T1555.003 (Credentials from Web Browsers), which targets Chrome, Firefox, and Edge credential databases, and T1555.001 (Keychain), targeting macOS environments. Detection for T1555.003 centers on anomalous process access to browser credential database files (e.g., Login Data in Chrome profiles) and processes loading browser crypto libraries from non-browser parent processes.

T1078 — Valid Accounts

CrowdStrike's 2025 Global Threat Report found that valid account abuse accounts for 35% of cloud intrusions — making T1078 the dominant initial access and persistence method in cloud environments. The technique has three sub-techniques with distinct detection logic: T1078.001 (Default Accounts), T1078.002 (Domain Accounts), and T1078.011 (Cloud Accounts). The cloud variant is where the trend is accelerating.

Detecting T1078.011 requires identity analytics rather than endpoint telemetry: impossible-travel detections (logins from two geographies within a timeframe inconsistent with travel), anomalous API call patterns from service principals, and deviations from established session behavior. Traditional EDR-based detection rules do not apply — the account is valid, and the authentication succeeds. The signal is in the behavioral context.

Threat Group Profiles: Techniques Composed Into Attack Paths

Techniques do not occur in isolation. Adversaries compose them into attack paths — sequences of techniques that chain from initial access through persistence, lateral movement, and objective execution. Understanding which groups use which sequences enables focused coverage mapping.

APT29 (Cozy Bear) — Russian Intelligence

Targets: Government, diplomatic, think-tank, and cloud infrastructure sectors. Primary initial access: T1566.001 (Spearphishing Attachment) and T1078 (Valid Accounts) for cloud environments. Signature techniques include T1059.001 (PowerShell), T1053.005 (Scheduled Task), and T1071.001 (Web Protocols) for C2. APT29 is notable for extensive use of OAuth application registrations (T1136.003) for persistence in Microsoft 365 tenants — a technique that requires Azure AD/Entra ID audit log telemetry to detect.

Lazarus Group (G0032) — North Korean State-Sponsored

Targets: Financial services, cryptocurrency exchanges, defense contractors, and software supply chains. Primary initial access: T1059.001 (PowerShell) via social engineering lures and T1195.002 (Supply Chain Compromise). Signature techniques include T1055.001 (Process Injection via DLL), T1555 (Credential Harvesting), and T1070.004 (File Deletion for anti-forensics). Lazarus Group operates one of the most diverse technique sets among tracked groups, covering 50+ techniques across campaigns.

Volt Typhoon (G1017) — Chinese State-Sponsored

Targets: US critical infrastructure — power grids, water systems, transportation. Volt Typhoon is defined by its living-off-the-land (LotL) approach: it avoids malware entirely and uses only legitimate administrative tools native to the target environment. Primary techniques include T1078 (Valid Accounts), T1059.001 (PowerShell), T1087.001 (Account Discovery), and T1046 (Network Service Discovery). The group's hallmark is stealth — average dwell time exceeds two years. Detecting Volt Typhoon requires baseline behavioral profiling of admin tool usage and alerting on deviations, not signature-based detection.

The Telemetry-to-Detection Mapping

Every ATT&CK technique requires specific log sources to detect. ATT&CK v18 restructured this mapping by replacing the flat "Data Sources" field with two layers: Data Components (106 total) and Detection Strategies (691) plus Analytics (1,739). A detection rule that cannot be built without a specific data component is undeployable regardless of its logical correctness.

Technique Required Data Components Common Telemetry Gap
T1055 (Process Injection) Process creation, Module load, Process access Sysmon not deployed or Event ID 10 disabled
T1555 (Credential Stores) File access, Process-file interaction No monitoring of browser credential database paths
T1078 (Valid Accounts) User account auth, Logon session, Cloud API audit Azure AD/Entra ID audit logs not exported to SIEM
T1059.001 (PowerShell) Process creation, Command execution, Script block logging PowerShell ScriptBlock Logging (Event ID 4104) not enabled
T1053 (Scheduled Task) Scheduled job creation, Process creation Security Event ID 4698 not collected or forwarded

The most common failure mode in threat-informed defense programs is not missing detection logic — it is missing the telemetry that detection logic requires. A team can write a perfect Sigma rule for T1055.012, but if Sysmon Event ID 10 does not ship to the SIEM, that rule will never fire. Mapping data components first, detection rules second, eliminates this structural gap.

Exceptions and Limits

The concentration pattern (93% of activity in 10 techniques) does not mean the remaining 190+ techniques can be ignored. Targeted attacks by advanced groups use techniques outside the top 10 deliberately — to slip past defenses optimized for the majority. APT29's use of T1136.003 (OAuth Application Registration) for cloud persistence and Sandworm's T0882 (Footprinting with infrastructure mappings) for pre-operational reconnaissance are examples of high-impact techniques with low overall frequency.

ATT&CK's coverage of cloud-native and AI-augmented attack techniques remains incomplete. The v18 release added Container CLI (T1552.009) and Poisoned Pipeline Execution (T1195.002), but the framework still lags behind the speed of cloud platform feature changes. Organizations with significant cloud attack surface should supplement ATT&CK mapping with vendor-specific cloud security frameworks (AWS, Azure, GCP security pillars).

Finally, the sub-technique level introduces a tradeoff: deeper sub-technique mapping produces more precise detections but requires more engineering investment. For teams with limited detection engineering capacity, starting at the technique level (T1055) and refining to sub-technique level (T1055.012) over successive iterations is more practical than attempting full sub-technique coverage from day one.

Honest Assessment

Dimension Top-10 Technique Coverage Full Matrix Coverage
Effort required 10 technique mappings × 5 data components avg = ~50 telemetry-to-detection pairs 200+ technique mappings × 3 data components avg = ~600+ pairs
Incident coverage ~93% of observed malicious activity ~99% of observed activity (long tail of rare techniques)
False positive density Higher — common techniques have more legitimate use cases Lower — rare techniques have fewer legitimate triggers
Time to value Weeks — focused scope enables rapid iteration Months to years — broad scope delays prioritization
APT blind spot Moderate — misses targeted group-specific techniques Low — comprehensive but resource-intensive

Actionable Takeaways

  • Map the top 10 techniques before anything else. Start with the Picus concentration data — build detections for T1055, T1059, T1082, T1083, T1555, T1071, T1566, T1078, T1105, and T1053. This covers 93% of observed adversary behavior with a focused investment.
  • Audit telemetry before writing detection rules. For each technique you plan to cover, verify the required data component exists and ships to your SIEM. Gaps in telemetry are undetectable in production — and they are the most common reason threat-informed programs fail to produce results.
  • Profile two threat groups relevant to your sector. Use the ATT&CK Groups catalog to find which groups target your industry. Extract their technique lists. Cross-reference with the top-10 data. Techniques at the intersection of both lists are the highest-priority defenses you can build.
  • Iterate from technique to sub-technique level. Do not attempt full sub-technique coverage initially. Build technique-level detections first. Where a technique has sub-techniques with meaningfully different detection logic (e.g., T1055.001 vs. T1055.012), refine in the next cycle.
  • Validate with Atomic Red Team, not assumptions. For each detection you build, execute the corresponding Atomic Red Team test. If the alert does not fire, the gap is real. If it fires on a test but would not fire under adversary conditions (different parent process, legitimate tooling as cover), the gap is still real — tune the rule.

This is part 2 in a series on threat-informed defense. Start with part 1.