CoursesAdvanced Linux securityThe attacker on the host

The intrusion chain on Linux

Access, escalate, persist, act.

Advanced12 min · lesson 2 of 17

Attacker activity on a host follows a recognizable sequence, and naming its stages gives you a map for both detection and investigation. It begins with initial access (the foothold), then reconnaissance (learning the environment), privilege escalation (becoming root), persistence (ensuring they can come back), and finally actions on objectives (the actual goal — data theft, lateral movement, disruption). Each stage produces different, detectable signals.

The intrusion chain on a Linux host
1access
RCE, stolen key, bad dep
2recon
who am i, whats here
3escalate
to root
4persist → act
survive, then exfil/pivot
Detection at any stage beats detection at none. The earlier you catch the chain, the less the attacker accomplishes.

Reconnaissance is noisy — and catchable

Right after landing, an attacker orients themselves: who am I (id, whoami), what is this box (hostname, uname, ps), what can I reach (ss, ip, arp), and where might I escalate (searching for SUID binaries, readable configs, sudo rights). This burst of enumeration is often the first detectable moment — a service account that suddenly runs id, sudo -l, and a find for SUID binaries is behaving nothing like the service it is supposed to be. Recognizing recon is one of the earliest chances to catch an intrusion.

terminal
# the recon an attacker runs on landing — and exactly what your detections watch for:
$ id; whoami; hostname; uname -a # who and where am I?
$ sudo -l 2>/dev/null # what can I run as root?
$ find / -perm -4000 -type f 2>/dev/null # SUID binaries to abuse
$ ss -tlnp; cat /etc/crontab # what is reachable / scheduled?

MITRE ATT&CK: a shared vocabulary

The security industry catalogs these techniques in the MITRE ATT&CK framework — a structured list of the tactics (the goals: privilege escalation, persistence, defense evasion) and the specific techniques under each. It is worth knowing because it gives you a checklist for coverage ("do we detect these persistence techniques?"), a common language for describing an incident, and a way to map your detections to real-world attacker behavior rather than guessing what to watch. The rest of this course is, in effect, a tour of the most important Linux ATT&CK techniques and how to see them.

Detection anywhere in the chain is a win
You do not need to catch the initial access to stop an attack — catching the escalation attempt, the persistence mechanism, or the unusual outbound connection all interrupt the chain before the attacker reaches their objective. This is why layered detection matters: an attacker might evade one stage’s alarms, but evading every stage cleanly is hard. Aim to instrument the whole chain, and treat any single detection as a thread to pull, not an isolated event.