Skip to content

Hide Navigation Hide TOC

Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6)

Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
    • Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
    • Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
    • Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
  • Linux/macOS Monitoring:
    • /var/log/syslog, /var/log/auth.log, /var/log/kern.log
    • Journald (journalctl) for kernel and system alerts.
  • Endpoint Detection and Response (EDR) Tools:
    • Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
  • Mobile Threat Intelligence Logs:
    • Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.
Cluster A Galaxy A Cluster B Galaxy B Level
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Drive-By Compromise - T1456 (fd339382-bfec-4bf0-8d47-1caedc9e7e57) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Hardware Supply Chain - T1474.002 (c08366bb-8d11-4921-853f-f0a3b6a2a1da) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Exploitation for Privilege Escalation - T1404 (351c0927-2fc1-4a2c-ad84-cbbee7eb8172) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Software Supply Chain - T1474.003 (9558a84e-2d5e-4872-918e-d847494a8ffc) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Disguise Root/Jailbreak Indicators - T1630.003 (a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Spoof Security Alerting - T1562.011 (bef8aaee-961d-4359-a308-4c2182bcedff) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Client Software Binary - T1645 (4f14e30b-8b57-4a7b-9093-2c0778ea99cf) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Replication Through Removable Media - T1458 (667e5707-3843-4da8-bd34-88b922526f0d) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Exploitation for Initial Access - T1664 (6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe) Attack Pattern 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Hardware Supply Chain - T1195.003 (39131305-9282-45e4-ac3b-591d2d4fc3ef) Attack Pattern 1
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern 2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2
Supply Chain Compromise - T1474 (0d95940f-9583-4e0f-824c-a42c1be47fad) Attack Pattern Compromise Hardware Supply Chain - T1474.002 (c08366bb-8d11-4921-853f-f0a3b6a2a1da) Attack Pattern 2
Supply Chain Compromise - T1474 (0d95940f-9583-4e0f-824c-a42c1be47fad) Attack Pattern Compromise Software Supply Chain - T1474.003 (9558a84e-2d5e-4872-918e-d847494a8ffc) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern 2
Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Disguise Root/Jailbreak Indicators - T1630.003 (a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9) Attack Pattern Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern 2
Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Spoof Security Alerting - T1562.011 (bef8aaee-961d-4359-a308-4c2182bcedff) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Compromise Hardware Supply Chain - T1195.003 (39131305-9282-45e4-ac3b-591d2d4fc3ef) Attack Pattern Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2