MITRE ATT&CK - Hunt Reference

MITRE ATT&CK // Hunt Reference

Net Analyst Threat Hunting - indicators, detection syntax, and APT attribution across the attack lifecycle

Tactics

80 indicators · 8 techniques

Pre-compromise intelligence gathering - active scanning, identity enumeration, network info, phishing for info, and OSINT collection. Arkime, Kibana, and Suricata syntax for all indicators.

▶ Open reference

65 indicators · 9 techniques

Gaining a foothold - valid accounts, removable media, external remote services, drive-by, public-facing app exploitation, supply chain, hardware additions, phishing, and content injection.

▶ Open reference

74 indicators · 10 techniques

Command & Control

Adversary communications - application layer protocols, DGA / fast flux, web service abuse, encrypted channels (JA3/JA4), ICMP/raw TCP, proxies, domain fronting, tunneling, ingress tool transfer, RMM tool abuse.

▶ Open reference

42 indicators · 10 techniques

Internal reconnaissance - host enumeration, port scans, share discovery, AD account / group / trust enumeration, BloodHound signatures, Kerberos/SAMR/LSARPC patterns, file enumeration, system info gathering.

▶ Open reference

31 indicators · 8 techniques

Lateral Movement

Adversary movement between hosts - RDP, SMB administrative shares (PsExec/Impacket), DCOM (MMC20.Application), SSH, WinRM/PSRemoting, lateral tool transfer, EternalBlue/ZeroLogon/PrintNightmare exploits, session hijacking.

▶ Open reference

20 indicators · 12 techniques

Credential Access

Stealing or extracting credentials - Kerberoasting, AS-REProasting, DCSync, password spraying, NTLM coercion (PetitPotam/PrinterBug/DFSCoerce), LLMNR poisoning + relay, Golden/Silver Tickets, credential stuffing, private key theft, LSASS dumping, MFA fatigue.

▶ Open reference

16 indicators · 12 techniques

Gathering data for theft - bulk SMB share traversal, Confluence/SharePoint/code repo enumeration, EWS bulk email reads, forwarding rule creation, S3/Blob bulk download, network device config dumps, local/remote staging, archive creation including password-protected.

▶ Open reference

15 indicators · 11 techniques

Moving data out - exfil over C2 channel (HTTPS POST bursts, DNS tunneling, bytes ratio), SSH/FTP/outbound SMB, exfil-friendly cloud (Mega, Bunkr) and mainstream cloud volume anomalies, code repo abuse, paste sites, Discord webhook stealer pattern, scheduled/chunked/automated timing fingerprints.

▶ Open reference

About this reference

What this is

A network threat hunting reference covering eight MITRE ATT&CK tactics across the intrusion lifecycle. Every indicator includes paste-ready query syntax for Arkime, Kibana (KQL), and Suricata, plus operational notes and APT attribution context.

Built for analysis and threat hunting in offline environments.

How to use it

Pick a tactic card above to open its reference page
Use the search box or technique filter buttons to narrow down indicators
Copy the query syntax matching your tool (Arkime, Kibana, or Suricata)
Click the ★ star on any row to add it to your hunt list
Open My Hunts from the header to review and export your hunt as TXT or CSV with a CMS-ready template

Variables like $INTERNAL, $DOMAIN_CONTROLLERS, and $ADMIN_HOSTS in queries are placeholders — replace them with values from your environment before running.

About hunts

Starred indicators persist across browser restarts and sync across open tabs in real-time. Hunts are stored in localStorage under the key hunt_reference_hunts_v1 - nothing leaves the browser.

Each export comes pre-formatted as a CMS-ready hunt package with timestamps, technique IDs, query syntax, and notes.

Ordering is chronological so the export reads as a hunt timeline.