Defense Against the Dark Arts: Starting Your Security Journey with Splunk Core & The Magic of MITRE ATT&CK

Maybe you’re a “muggle” stepping into the wizarding world of Splunk—or perhaps a seasoned sysadmin venturing deeper into the dark arts of cybersecurity. Either way, you’ve worn the Sorting Hat and discovered it can’t quite make up its mind.

As the resident IT and Security lead, you’re expected to be both the strategist and the gatekeeper—equally Ravenclaw and Slytherin.

No matter your house, the challenge is the same: defending your environment against an ever-shifting threat landscape of malware, ransomware, phishing, identity abuse, and the growing influence of agentic AI. You’ve taken the right first steps—deploying Splunk and establishing visibility—and you’re ready to defend the castle. But then comes the big question: now what?

How do you grow your defensive magic when you’re not quite ready to embark on a full-scale threat hunt? Like any wizard preparing for a dangerous quest, you need more than raw power—you need a map. One that shows how adversaries move, which paths they favor, and where defenses tend to fail. That’s where MITRE ATT&CK and Splunk come together: not as flashy spells, but as a structured way to turn visibility into prioritized, behavior-based defense.

The Auror’s Library: Building a Foundation for Modern Defense

Even the most powerful wand requires the right wood and core. In Splunk, that foundation is Data Quality. Before casting your first detection, you must enchant your logs to be CIM-compliant (Common Information Model) using Technical Add-ons (TAs) from Splunkbase. Normalizing logs isn’t just housekeeping—it’s the foundational ritual that makes your "map" work. Data quality equals detection quality; your defensive spells are only as strong as the telemetry feeding them.

Once your data is ready, these Splunk resources go hand in hand to guide your journey:

• The InfoSec App: Your foundational command center. Designed for immediate visibility, it provides high-fidelity dashboards and alerts to monitor your environment’s security posture right out of the box.

• Splunk Security Essentials (SSE): Your tactical playbook and instructional guide. While other tools show you the what, SSE teaches you the why. It functions as a comprehensive "cookbook" for security fundamentals, mapping its library of searches directly to the MITRE ATT&CK® framework.
• Splunk Security Content: An advanced spellbook for the modern defender. This repository contains nearly 2,000 detections—predefined "spells" crafted by The Splunk Threat Research Team (STRT) to identify sophisticated patterns and anomalies. These detections are versatile; they can be operationalized within Splunk Core or seamlessly integrated into Enterprise Security (ES)—Splunk’s premium SecOps platform—to harden your defenses.
• Splunk AI Toolkit (formerly MLTK): An advanced layer of perception. It moves beyond static rules to identify anomalies—such as unusual user access patterns—that might indicate a compromised account or an insider threat. By baselining "normal" behavior, you can spot the ripples in your environment that traditional detections might miss.

However, even the most advanced tools require a map to make sense of what they find. While the InfoSec App and SSE provide the "spells" and "playbooks," they are all built upon a single, globally recognized curriculum: MITRE ATT&CK®.

Mastering The Curriculum: MITRE ATT&CK

Think of MITRE ATT&CK® as the core Defense Against the Dark Arts curriculum—the globally recognized knowledge base that provides the intelligence behind the tools we use. It is the material every practitioner is expected to study to help them face real-world threats.

Once an organization is breached, adversaries often remain on networks for months before being detected. This raises critical questions: How did they get in, how are they moving around, and what are they doing once they’re inside? The ATT&CK framework helps answer these by outlining the lifecycle of an intrusion.

Detailing how adversaries penetrate networks, move laterally, and evade detection teaches defenders to recognize the entire "duel" from the opponent’s perspective.

At its heart are Tactics (the technical objective or “why”) and Techniques (the specific method used to accomplish the objectives or “how”). Together with Procedures, these TTPs allow us to move beyond reacting to isolated alerts and instead identify intent and patterns of behavior. (Want to go deeper on TTPs? Check out Splunk’s blog.)

There are 14 tactics defined in the ATT&CK Enterprise framework, representing the major phases of an attack’s lifecycle in order are defined below, as well as the total techniques per Tactic (not including sub-techniques) and how many we analyzed for you.

An Author’s Note: The goal isn’t to check every box on the matrix. Instead, focus on building deep, context-aware visibility into the techniques most likely to impact your environment.

Because modern threats rarely stay confined to a single system, ATT&CK spans multiple domains—including Windows, Linux, and Cloud platforms. This breadth enables organizations to evaluate their defenses based on observed adversary behavior rather than assumptions or vendor-specific indicators.

Maintained as a public, community‑driven resource by MITRE, it is widely used across industries—from private organizations to government agencies—as the foundation for threat modeling, detection engineering, and defensive strategy.

Top MITRE ATT&CK Techniques Observed in 2025

The dark arts haven’t just grown stronger—they’ve grown smarter. While significant research exists on trending ATT&CK techniques from previous years—including SURGe’s annual analysis—the threat landscape never stands still. New spells are learned and familiar techniques return in unexpected ways. So, what does 2025 look like?

To answer that question, we conducted a focused 2025 ATT&CK trending analysis by combining telemetry from:

• Cisco Talos IR engagements
• The Cybersecurity and Infrastructure Security Agency (CISA)’s cybersecurity alerts,
• Red Canary’s annual Threat Detection Report,
• Mandiant’s yearly M-Trends Report

The resulting dataset includes hundreds of observations covering ATT&CK techniques and sub‑techniques, their frequency in reported incidents, and the reporting source. After combining telemetry from the sources mentioned above, the following techniques emerged as the most frequently observed ATT&CK techniques in 2025.

The list reflects how adversaries operate, not necessarily which techniques are easiest to exploit. These 20 techniques form a practical prioritization baseline for detection engineering, threat hunting, and defensive coverage going into 2026.

Let’s Move Tactfully

Tactics read like a story—one step following another as the adversary advances deeper into the environment, much like footprints appearing one by one on the Marauder’s Map.

The story begins with Reconnaissance, where adversaries use the digital equivalent of a Revelio charm, such as Active Scanning (T1595 – 25%), including Vulnerability Scanning (T1595.002 – 18.4%), to uncover the castle’s hidden weaknesses. Sometimes, they don't even approach the walls, instead sending a Spearphishing Link (T1598.003 – 17.5%)—a deceptive bit designed to harvest intelligence before the true intrusion begins.

The first official footprint on the map appears during Initial Access, the moment the adversary successfully crosses the threshold. Our data shows that two methods dominate this stage. The first is Exploiting Public-Facing Applications (T1190 – 47.5%), where nearly half of all successful entries occur. Adversaries look for "unlocked windows" in web servers, VPN gateways, or databases—services that must remain open to the internet to function. A single unpatched vulnerability in an edge device can grant an intruder immediate access, allowing them to slip inside without needing a single password.

The second method is Phishing (T1566 – 31.3%), the "Social Engineering" route. Instead of picking a technical lock, the adversary tricks a resident into opening the front door. Whether it’s a malicious attachment, emails being hidden by adversaries, a link to a fake Microsoft O365 login page, or a call from someone posing as your IT support (all real life examples from our Cisco Talos IR quarterly trends reports)—phishing remains a top-tier threat. This technique bypasses technical firewalls by targeting the human element—the digital equivalent of a cursed letter that looks like a legitimate invitation. We see the presence of Spearphishing Attachment (T1566.001 – 18.8%), Spearphishing Link (T1566.002 - 18.8%), and Spearphishing Voice (T1598.004 – 10.6%).

Defense Evasion has evolved from a supporting tactic into a core objective of modern intrusions. Its prominence as the most frequently observed tactic reflects a shift in mindset: adversaries now assume some level of detection and design operations to survive it.

Rather than simply avoiding visibility, adversaries actively manipulate it. Common behaviors include Indicator Removal (T1070 – 39%), where forensic artifacts are deleted to hinder investigations, and Impair Defenses (T1562 – 33.2%), which disables logging or security tooling directly. Through Obfuscated Files or Information (T1027 – 32.3%) they ensure that even when they are seen, their true nature remains a mystery.

The rise in Credential Access and Privilege Escalation techniques reinforces the central role of identity in modern attacks. Techniques such as OS Credential Dumping (T1003 – 45%), Brute Force (T1110 - 33.2%), or using Unsecured Credentials (T1552 – 31.3%) remain highly effective because they target the most reusable and trusted asset in any environment: valid credentials.

Once they secure Valid Accounts (T1078 – 39.8%) or successfully exploit Privilege Escalation (T1068 – 31.3%), they stop looking like intruders and start looking like administrators. In wizarding terms, this isn’t just hiding under an invisibility cloak; it’s using “Polyjuice Potion” to become the very people authorized to be there.

This access then fuels Persistence, where adversaries ensure they can return even after a "reboot." By using techniques like Create Account (T1136 – 26.9%) or Account Manipulation (T1098 – 26.9%), they carve out permanent residency in the environment.

The story of Execution is perhaps the most striking, dominated by the Command and Scripting Interpreter (T1059), which appears in 66.7% of analyzed incidents. Whether it’s through PowerShell (T1059.001 – 42.2%), Windows Command Shell (T1059.003 – 28.2%), they are “living off the land”—leveraging the built-in tools of the system against you.

What’s especially notable is how seamless Lateral Movement is, frequently utilizing Remote Services (T1021 – 54.2%)—often Remote Desktop Protocol (T1021.001 – 33.1%)—to hop between workstations. They communicate through standard Application Layer Protocols (T1071 – 35.3%) and Proxy (T1090 – 31.3%) to blend into the noise of everyday traffic while performing System Network Configuration Discovery (T1016 – 45%) to map their next move.

The final chapters of this story often lead to a dual-threat of Financial Theft (T1657 – 37.5%) or Data Encrypted for Impact (T1486 – 38.8%), with stolen data being whisked away via Exfiltration Over Web Services (T1567 – 31.3%), specifically Exfiltration to Cloud Storage (T1567.002 – 31.3%). We didn't forget about cloud techniques; we’ll take a deeper look later.

For newer security practitioners, this shift is both intimidating and empowering. It underscores why understanding behavior, not just individual indicators, is critical. If adversaries chain techniques together deliberately, defenders need to think in sequences and narratives—not one‑off detections. This is where MITRE ATT&CK and Splunk evolve from reference material into a survival guide for the modern age.

The Wand of Choice: T1059, Command and Scripting Interpreter

If cyberattacks were magical, CLIs would be the wands. An interpreter is a neutral tool—expected to be present and capable of performing any "spell" depending on who wields it. In our analysis, Command and Scripting Interpreter (T1059) appeared as the top technique in 66.7% of cases. This is a strategic choice: adversaries abuse these built-in environments to interact directly with the system, executing code and automating tasks without traditional malware.

This is the ultimate "Living off the Land" technique. Adversaries "speak" the system's native language—most notably PowerShell (T1059.001 – 42.2%)—to chain actions together while blending into normal administrative noise.

To defend against an adversary wielding your own tools, you must focus on intent and context. SSE is an ideal starting point for tackling these top techniques, allowing you to filter by specific TIDs, platforms, and threat groups.

Splunk can assist you in your duel, but it is wise to take precautions that prevent the battle from ever beginning:

Strategic Mitigations (MITRE-Aligned):

• Restrict the "Spellbook": Implement Application Control (like WDAC or AppLocker) and script-signing to ensure only verified, approved scripts can run.
• Limit the Scope: Deploy Just Enough Administration (JEA) to sandbox administrative tasks, ensuring users only have the specific "spells" they need for their role.
• Inventory & Cleanse: Remove or disable unnecessary interpreters (like Python or older Unix shells) on systems where they serve no legitimate purpose.

Detection Strategies:

• Watch for Mumbled Spells: Detect heavily encoded or obfuscated command-line arguments—a common sign of hidden intent.
• Record the Incantations: Enable PowerShell Script Block Logging (Event ID 4104)—it captures the actual code being executed, even if it was de-obfuscated in memory.

• Monitor the Lineage: Look for shell interpreters in abnormal process chains, such as a document editor spawning a command prompt.
• Identify Anomalous Invocations: Flag interpreters executed by unusual users, unexpected parent processes (e.g., a web server launching a shell), or outside normal administrative windows.

Hogwarts After Hours: Navigating the Cloud Perimeter

Cloud environments are like Hogwarts after hours: a sprawling landscape of powerful resources and shared access. As organizations shift to identity-driven models, the “Restricted Section” of your infrastructure has become the primary target for adversaries – so let’s dig into the top three cloud techniques from our 2025 analysis.

The Invisible Trunk: Exfiltration to Cloud Storage (T1567.002) Adversaries move stolen data to legitimate services like AWS S3, Google Drive, or Dropbox to blend with normal traffic. These trusted tunnels make malicious uploads resemble routine synchronization.

• The Defense: Enforce egress controls on unmanaged cloud storage and monitor for unusual processes (like PowerShell) suddenly making large HTTPS requests.

Emptying the Library: Data from Cloud Storage (T1530) If exfiltration is sneaking data out, this technique is about quietly emptying the library shelves. Adversaries leverage overly permissive access controls or stolen keys to collect data directly from cloud buckets.

• The Defense: Tighten IAM permissions and enforce encryption at rest. Monitor for spikes in object access from newly created roles or unusual IP addresses.

The Professor’s Keys: Valid Cloud Accounts (T1078.004) Valid credentials remain the most powerful tool in an adversary's kit. By compromising a cloud account, an attacker inherits the trust of a legitimate user—roaming unrestricted through the castle.

• The Defense: Properly configured Multi-Factor Authentication (MFA) is the primary locking spell for the identity perimeter. However, it must resist "MFA Bombing" (fatigue attacks)—where persistent notifications act like a Howler until a user accidentally approves—and "Impossible Travel" scenarios involving logins from distant locations.

Expecto Stratos: Defending the Cloud

For Cloud Defense you must move beyond static barriers and focus on Identity Hardening and Behavioral Context. Cisco Talos intelligence reveals that nearly half of security engagements involve MFA issues, often due to misconfiguration or bypass.

1. Secure the Gatekeepers: Monitor bypass code abuse, new device registrations, and the creation of accounts exempt from MFA.
2. Upgrade Your Spells: While any MFA is better than none, tools like Cisco Duo offer phishing-resistant options (FIDO2/WebAuthn security keys), device trust checks, and adaptive policies.
3. Detect "Apparition": Identify Impossible Travel and anomalous login patterns using the InfoSec App’s pre-built Geographic Improbable Access report.

Closing these authentication gaps ensures your "map" reveals intruders before they can reach the Restricted Section.

Mastering the Duel: Your Path to Security Maturity

The journey from a “muggle” administrator to a seasoned defender doesn't happen overnight. Armed with a well-practiced wand and an understanding of prevalent techniques—including command execution, remote services, exploitation, phishing, cloud identity misuse—you move beyond reacting to isolated sparks and begin to illuminate the entire battlefield for 2026.

For those ready to become full-fledged Aurors, Splunk’s PEAK Hunting Framework (Prepare, Execute, and Act with Knowledge) and our Beginner's Guide to Threat Hunting are your essential methodologies. They provide the structure to transform one-off detections into a repeatable, master-level security practice.

Splunk’s ecosystem is built to support a "Crawl, Walk, Run" approach:

• Crawl: Use the InfoSec Appfor immediate, high-fidelity visibility into your environment
• Walk: Leverage SSE and Splunk Security Content to study the adversary’s playbook and deploy pre-defined detections
• Run: Graduate to ES for full-scale SIEM capabilities: risk-based analytics, threat detection, incident response and more

The threat landscape will continue to shift, but the fundamentals remain the same: the magic is always in the data. We encourage you to Splunk it for yourself to see these patterns firsthand.

The key is knowing which techniques to master—before the adversaries cast them first.