Skip to content

Hide Navigation Hide TOC

Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6)

Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
    • Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
    • Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
    • Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
  • Linux/macOS Monitoring:
    • /var/log/syslog, /var/log/auth.log, /var/log/kern.log
    • Journald (journalctl) for kernel and system alerts.
  • Endpoint Detection and Response (EDR) Tools:
    • Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
  • Mobile Threat Intelligence Logs:
    • Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.
Cluster A Galaxy A Cluster B Galaxy B Level
Replication Through Removable Media - T1458 (667e5707-3843-4da8-bd34-88b922526f0d) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Exploitation for Initial Access - T1664 (6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Hardware Supply Chain - T1195.003 (39131305-9282-45e4-ac3b-591d2d4fc3ef) Attack Pattern 1
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Drive-By Compromise - T1456 (fd339382-bfec-4bf0-8d47-1caedc9e7e57) Attack Pattern 1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Compromise Hardware Supply Chain - T1474.002 (c08366bb-8d11-4921-853f-f0a3b6a2a1da) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Exploitation for Privilege Escalation - T1404 (351c0927-2fc1-4a2c-ad84-cbbee7eb8172) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compromise Software Supply Chain - T1474.003 (9558a84e-2d5e-4872-918e-d847494a8ffc) Attack Pattern 1
Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 1
Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Disguise Root/Jailbreak Indicators - T1630.003 (a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 1
Spoof Security Alerting - T1562.011 (bef8aaee-961d-4359-a308-4c2182bcedff) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Compromise Client Software Binary - T1645 (4f14e30b-8b57-4a7b-9093-2c0778ea99cf) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Host Status (85a533a4-5fa4-4dba-b45d-f0717bedd6e6) mitre-data-component 1
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Compromise Hardware Supply Chain - T1195.003 (39131305-9282-45e4-ac3b-591d2d4fc3ef) Attack Pattern 2
Service Exhaustion Flood - T1499.002 (38eb0c22-6caf-46ce-8869-5964bd735858) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2
Compromise Hardware Supply Chain - T1474.002 (c08366bb-8d11-4921-853f-f0a3b6a2a1da) Attack Pattern Supply Chain Compromise - T1474 (0d95940f-9583-4e0f-824c-a42c1be47fad) Attack Pattern 2
Supply Chain Compromise - T1474 (0d95940f-9583-4e0f-824c-a42c1be47fad) Attack Pattern Compromise Software Supply Chain - T1474.003 (9558a84e-2d5e-4872-918e-d847494a8ffc) Attack Pattern 2
Application Exhaustion Flood - T1499.003 (18cffc21-3260-437e-80e4-4ab8bf2ba5e9) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Reflection Amplification - T1498.002 (36b2a1d7-e09e-49bf-b45e-477076c2ec01) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 2
Disguise Root/Jailbreak Indicators - T1630.003 (a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9) Attack Pattern Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern 2
Direct Network Flood - T1498.001 (0bda01d5-4c1d-4062-8ee2-6872334383c3) Attack Pattern Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab) Attack Pattern 2
OS Exhaustion Flood - T1499.001 (0df05477-c572-4ed6-88a9-47c581f548f7) Attack Pattern Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Spoof Security Alerting - T1562.011 (bef8aaee-961d-4359-a308-4c2182bcedff) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
System Runtime API Hijacking - T1625.001 (c6e17ca2-08b5-4379-9786-89bd05241831) Attack Pattern Hijack Execution Flow - T1625 (670a4d75-103b-4b14-8a9e-4652fa795edd) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2