We have a blog! Check out MITRE Shield on Medium.

Standard Operating Procedure

Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.

Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to.

ID: DTE0033
Tactics:  Detect Disrupt


DOS0027 There is an opportunity to create a detection with a moderately high probability of success.
DOS0095 There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures.

Use Cases

DUC0047 A defender can detect user accounts created outside the acceptable process.
DUC0054 A defender can define operating procedures for adding services and alert when they are added outside of this procedure (i.e. by an adversary) to detect abnormal behavior.
DUC0061 A defender can provide a set of operating procedures for modifying GPOs and create an alert to detect unusual behavior when that procedure is not followed.
DUC0095 A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked.


DPR0057 Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity.
DPR0058 Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1111 Two-Factor Authentication Interception Credential Access
T1136 Create Account Persistence
T1562 Impair Defenses Defense Evasion
T1569 System Services Execution