The host-side companion to the network threat hunt reference. Where the network reference covers what adversaries do across the wire, this site covers what they do inside the endpoint: process execution, persistence, privilege escalation, host-side credential theft.
Covers both Windows and Linux endpoints. Each indicator is tagged WIN or LINUX; use the OS filter in any tactic header to narrow to one platform, or leave it off to see both. Windows rows lead with Sysmon / PowerShell / registry; Linux rows lead with Sysmon for Linux / auditd / shell, with file artifacts in place of registry.
Each indicator includes detection telemetry, paste-ready Kibana KQL, hunt scripts, file/registry artifacts, adversary tool attribution, and references to open-source detection projects (Sigma, Velociraptor, Hayabusa, Falco, etc.).
The host schema differs from network because host telemetry has more dimensions. Same indicator can have evidence in: process events (Sysmon EID 1), registry modifications (EID 12/13), file creation (EID 11), network connections from process (EID 3), image loads (EID 7), and process access (EID 10).
PowerShell hunt scripts are designed to run directly against Windows event logs - useful for both proactive hunting and during incident response when you need to triage without a SIEM.
Execution (TA0002), Persistence (TA0003), and Privilege Escalation (TA0004) complete.
Defense Evasion (TA0005) in progress: 10 indicators across 8 sub-techniques, Linux-focused build first.
Upcoming tactic build order:
→Execution
→Persistence
→Privilege Escalation
→Defense Evasion
→Credential Access
→Discovery
then completionist coverage of the rest.