NETWORK HOST
MITRE ATT&CK // Host Analyst Reference
Host analyst threat hunting: indicators, detection syntax, and APT attribution across the attack lifecycle
Tactics
TA0002
4 indicators · 1 of 13 techniques built
Execution
Code execution via interpreters and signed binaries - PowerShell encoded commands, suspicious Office-spawned children, ScriptBlock content patterns, ExecutionPolicy bypass. T1059.001 PowerShell built; remaining 12 techniques (cmd, VB, JS, WMI, scheduled tasks, services, Mshta, Rundll32, Regsvr32, Native API, Shared Modules, User Execution) coming next sessions.
▶ Open reference
Coming Soon
TA0003
In progress
Persistence
Registry run keys, scheduled tasks, WMI subscriptions, startup folders, services, DLL hijacking - the canonical host-side persistence techniques.
Coming soon
TA0004
Planned
Privilege Escalation
Token manipulation, UAC bypass, named pipe impersonation, exploitation patterns. Builds on Execution telemetry.
Coming soon
TA0005
Planned
Defense Evasion
Process injection (CreateRemoteThread, APC, PE injection), parent PID spoofing, unsigned drivers, LOLBin abuse.
Coming soon
TA0006
Planned
Credential Access
LSASS access patterns, SAM/NTDS extraction, DPAPI abuse, Mimikatz process indicators. Host-side complement to network credential access detections.
Coming soon
TA0007
Planned
Discovery
Host enumeration commands, registry queries, network/system discovery. Complements network-side discovery detections.
Coming soon
About this reference

What this is

The host-side companion to the network threat hunt reference. Where the network reference covers what adversaries do across the wire, this site covers what they do inside the endpoint: process execution, persistence, privilege escalation, host-side credential theft.

Each indicator includes Sysmon Event IDs, paste-ready Kibana KQL, PowerShell hunt scripts, registry/file artifacts, adversary tool attribution, and references to open-source detection projects (Sigma, Velociraptor, Hayabusa, etc.).

How to use it

  • Pick a tactic card to open its reference page
  • Search or filter to narrow indicators by technique or APT actor
  • Each row has tabs for Sysmon · Kibana · PowerShell · Registry/Artifacts · Tools · OSS Detections · Notes · APT
  • Click the ★ star to add to your hunt list (persisted across sessions)
  • Open My Hunts to review and export your hunt as TXT or CSV with a CMS-ready template
Use the NETWORK / HOST switcher in the header to jump to the network reference for the complementary lens on the same techniques.

Schema notes

The host schema differs from network because host telemetry has more dimensions. Same indicator can have evidence in: process events (Sysmon EID 1), registry modifications (EID 12/13), file creation (EID 11), network connections from process (EID 3), image loads (EID 7), and process access (EID 10).

PowerShell hunt scripts are designed to run directly against Windows event logs - useful for both proactive hunting and during incident response when you need to triage without a SIEM.

Build status

Currently building Execution (TA0002): 1 of 13 techniques fully built (T1059.001 PowerShell with 4 indicators). Remaining 12 techniques in Execution are stubbed and will be filled out in future sessions.

Tactic build order:
→Execution
→Persistence
→Defense Evasion
→Privilege Escalation
→Credential Access
→Discovery
then completionist coverage of the rest.