NET HOST ATTRIB
[TONK] Host-Based Hunt Reference
Threat Observation & Network Kill-chain · MITRE ATT&CK Host Detection Reference
Search TONK find an APT actor or keyword across every tactic
Tactics
TA0002
45 indicators · 18 techniques
Execution
Code execution via interpreters and signed binaries. PowerShell, cmd, VBScript, JScript, WMI, scheduled tasks, mshta, rundll32, regsvr32 on Windows. Unix shell, Python, Perl, cron, container exec on Linux.
▶ Open reference
TA0003
34 indicators · 16 techniques
Persistence
Survival mechanisms across reboots and sessions. Systemd services and timers, cron, SSH authorized keys, PAM backdoors, kernel modules, shell RC injection, rc.local, init.d scripts.
▶ Open reference
TA0004
33 indicators · 16 techniques
Privilege Escalation
Gaining higher privileges. SUID/sudo abuse, DLL hijacking, service registry manipulation, IFEO debugger, accessibility features, container escape, SID-History injection, kernel exploits.
▶ Open reference
TA0005
38 indicators · 19 techniques
Defense Evasion
Hiding attacker activity. Log clearing, timestomping, auditd disabling, firewall manipulation, registry modification, process masquerading, rootkits, LOLBin proxy execution.
▶ Open reference
TA0006
11 indicators · 11 techniques
Credential Access
Credential theft and harvesting. LSASS memory dumps, SAM hive extraction, DCSync, Kerberoasting, /etc/shadow access, SSH private key theft.
▶ Open reference
TA0007
Planned
Discovery
Host enumeration commands, system/network/account discovery, security software detection. The commands every actor runs between foothold and lateral movement.
Coming soon
TA0008
7 indicators · 7 techniques
Lateral Movement
Host-side artifacts of lateral movement. PsExec service creation, RDP logon type 10, SSH pivoting, WinRM remote sessions, Pass-the-Hash logon anomalies.
▶ Open reference
TA0040
6 indicators · 6 techniques
Impact
Destruction and disruption. Shadow copy deletion, pre-encryption service killing, data wipers, ransomware encryption behavioral indicators and canary detection.
▶ Open reference
About this reference

What this is

The host-side companion to the network threat hunt reference. Where the network reference covers what adversaries do across the wire, this site covers what they do inside the endpoint: process execution, persistence, privilege escalation, credential theft, and destruction.

Every indicator includes paste-ready syntax for Sysmon and Kibana (KQL) queries, PowerShell/auditd hunt scripts, registry artifacts, and open-source detection mappings.

How to use it

  • Pick a tactic card above to open its reference page
  • Use the search box or technique filter buttons to narrow down indicators
  • Copy the query syntax matching your tool (Sysmon, KQL, PowerShell)
  • Click the ★ star on any row to add it to your hunt list
  • Open My Hunts from the header to review and export your hunt as TXT or CSV

About hunts

Starred indicators persist across browser restarts and sync across open tabs in real-time. Hunts are stored in localStorage under the key hunt_reference_hunts_v1; nothing leaves the browser.

Starred indicators from both NET and HOST surfaces appear together in the ATTRIB engine for unified scoring.

Coverage

7 built tactics, 93 techniques, 174 indicators spanning Windows and Linux endpoints. Detection fields: Sysmon event IDs, Kibana KQL queries, PowerShell hunt scripts, auditd rules, registry artifacts, open-source rule mappings (Sigma, Elastic, Wazuh, osquery, Falco).

APT attribution covers 29 named threat actors across China, Russia, DPRK, Iran, and criminal groups.