Key Takeaways
- Hunting is proactive, not reactive
- Hypothesis-driven approach is key
- MITRE ATT&CK structures hunts
- Document findings for detection engineering
Contents
1. What is Threat Hunting?
Threat hunting is the proactive search for threats that have evaded existing security controls. Unlike alerting, hunting assumes adversaries are already in the environment and actively searches for evidence of compromise.
2. Hypothesis-Driven Hunting
Hypothesis Structure
# Hypothesis template:
"Based on [threat intelligence/ATT&CK technique],
adversaries may be [activity],
which we can detect by [data source/indicator]"
# Example:
"Based on recent APT activity, adversaries may be
using PowerShell for C2 communication, which we
can detect by looking for encoded commands and
network connections from powershell.exe"3. MITRE ATT&CK-Based Hunting
# Hunt by technique:
# T1059.001 - PowerShell
# Look for: encoded commands, download cradles
# T1055 - Process Injection
# Look for: unusual parent-child, memory anomalies
# T1003 - Credential Dumping
# Look for: lsass.exe access, Mimikatz artifacts
# T1021.002 - SMB/Windows Admin Shares
# Look for: lateral movement patterns
# Map coverage:
# - Which techniques do we have visibility into?
# - Which have detection rules?
# - Which need hunting focus?4. Critical Data Sources
- Endpoint: EDR telemetry, Sysmon, Windows Event Logs
- Network: DNS logs, proxy logs, flow data
- Authentication: AD logs, VPN logs
- Cloud: CloudTrail, Azure Activity, GCP Audit
- Email: Mail flow logs, attachment analysis
5. Hunting Techniques
# Stack counting
# Find rare values that may indicate malice
SELECT process_name, COUNT(*)
FROM endpoint_events
GROUP BY process_name
ORDER BY COUNT(*) ASC
# Longest string
# Encoded commands are often long
SELECT * FROM events
WHERE LENGTH(command_line) > 1000
# Temporal analysis
# Activity outside business hours
SELECT * FROM events
WHERE HOUR(timestamp) NOT BETWEEN 8 AND 18
# Baseline deviation
# What's different from normal?6. Threat Hunting Tools
| Tool | Use Case |
|---|---|
| Elastic Stack | Log aggregation, search |
| Splunk | Enterprise SIEM, SPL queries |
| Microsoft Defender | Advanced hunting (KQL) |
| Velociraptor | Endpoint collection |
| HELK | Open-source hunting platform |
7. Detection Engineering
- Document hunt findings
- Convert manual hunts to automated detections
- Write Sigma/YARA rules
- Measure detection coverage
- Continuous improvement cycle
8. Building a Hunting Program
- Ensure data foundation (logs, telemetry)
- Start with intel-driven hunts
- Prioritize by ATT&CK technique risk
- Document all hunts and findings
- Convert findings to detections
- Measure metrics (hunts run, findings, detections created)
FAQ
How is hunting different from SOC?
SOC analysts react to alerts. Threat hunters proactively search for threats that haven't triggered alerts. Hunting assumes controls have failed and attackers are present.