One of the reasons detection is challenging is that nearly every action we seek to detect has a legitimate purpose. For example, in Kerberoasting, requesting a ticket is a normal part of the Kerberos workflow and therefore difficult to detect consistently. Practically, this takes an opportunistic thresholding approach (X requests in Y time) rather than a comprehensive one - see this Sigma example.
There are some defensive categories that are less frequently used for legitimate purpose:
- Defense Evasion is great to detect, as long as the actor actually tries these actions (which are ancillary to their objectives)
- Impact actions aren’t often legitimate (such as discovering a file system being encrypted by ransomware), but occur so late in the attack that the should be prevented, not detected
One final point: remember that any activity likely to be malicious can also be prevented and is less important to detect. Therefore, many detection rules are focusing on the harder cases that are difficult to distinguish from normal (non-malicious) activity.
Credit to Michael for the original idea.