The intrusion chain on Linux
Access, escalate, persist, act.
Attacker activity on a host follows a recognizable sequence, and naming its stages gives you a map for both detection and investigation. It begins with initial access (the foothold), then reconnaissance (learning the environment), privilege escalation (becoming root), persistence (ensuring they can come back), and finally actions on objectives (the actual goal — data theft, lateral movement, disruption). Each stage produces different, detectable signals.
Reconnaissance is noisy — and catchable
Right after landing, an attacker orients themselves: who am I (id, whoami), what is this box (hostname, uname, ps), what can I reach (ss, ip, arp), and where might I escalate (searching for SUID binaries, readable configs, sudo rights). This burst of enumeration is often the first detectable moment — a service account that suddenly runs id, sudo -l, and a find for SUID binaries is behaving nothing like the service it is supposed to be. Recognizing recon is one of the earliest chances to catch an intrusion.
# the recon an attacker runs on landing — and exactly what your detections watch for:$ id; whoami; hostname; uname -a # who and where am I?$ sudo -l 2>/dev/null # what can I run as root?$ find / -perm -4000 -type f 2>/dev/null # SUID binaries to abuse$ ss -tlnp; cat /etc/crontab # what is reachable / scheduled?
MITRE ATT&CK: a shared vocabulary
The security industry catalogs these techniques in the MITRE ATT&CK framework — a structured list of the tactics (the goals: privilege escalation, persistence, defense evasion) and the specific techniques under each. It is worth knowing because it gives you a checklist for coverage ("do we detect these persistence techniques?"), a common language for describing an incident, and a way to map your detections to real-world attacker behavior rather than guessing what to watch. The rest of this course is, in effect, a tour of the most important Linux ATT&CK techniques and how to see them.