Threat Hunting

What is Threat Hunting?

Threat hunting is the proactive search for adversaries in your environment. Unlike detection (reactive, alert-driven), hunting assumes attackers may already be inside and actively looks for them.

Reactive vs Proactive

The Hunting Process

1. Hypothesis: Form a theory based on threat intel, ATT&CK, or anomalies
2. Collect Data: Gather relevant logs (endpoint, network, auth)
3. Analyze: Search for indicators, patterns, anomalies
4. Investigate: Drill down into suspicious findings
5. Document: Record findings, create detections for future

MITRE ATT&CK Framework

Use ATT&CK to structure your hunts around known adversary techniques:

Example Hunt Scenarios

# Splunk Query
index=windows EventCode=4104 
| regex ScriptBlockText="(?i)(encodedcommand|frombase64)"
| stats count by ComputerName, UserName

# Elastic Query
process.parent.name: ("winword.exe" OR "excel.exe") AND
process.name: ("cmd.exe" OR "powershell.exe" OR "wscript.exe")

# Zeek conn.log analysis
# Look for connections with consistent timing
cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p | \
    awk '{print $2, $3, $4}' | sort | uniq -c | sort -rn | head -20

Tools & Data Sources

Data Sources

• EDR telemetry (CrowdStrike, Defender, SentinelOne)
• Windows Event Logs (Security, Sysmon)
• Network traffic (Zeek, firewall logs)
• Authentication logs (AD, cloud identity)
• DNS logs

Hunting Platforms

• Splunk Enterprise Security
• Elastic Security
• Microsoft Sentinel
• Jupyter Notebooks (threat hunting notebooks)

Updated: December 2024