Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Threat Detection Glossary

Cyber Threat Hunting - Proaktive Bedrohungssuche im Netzwerk

Threat hunting is the proactive, hypothesis-driven search for threats that automated detection systems have not yet identified. Methodology: Hypothesis-driven (MITRE ATT&CK), intelligence-driven, situational awareness-driven. Tools: Velociraptor (endpoint artifact collection), KAPE (forensic triage), Sigma Rules, EDR queries. Metrics: MTTD, hunter efficiency, true positive rate.

Cyber Threat Hunting is the proactive search for threat actors who are already active within a network but have not yet been detected by automated systems. Unlike Incident Response (which reacts to alerts), Threat Hunting is based on the hypothesis: "We may already be compromised—let’s actively search for them." Experienced attackers can remain in the network for months before being detected.

The Problem: Dwell Time

Why proactive hunting is necessary:

Dwell Time (the attacker’s residence time):
  2024 average: 16 days (IBM Cost of Data Breach Report)
  Ransomware: 24–48 hours (has gotten faster!)
  Nation-State APTs: Months to years

What happens during this time:
  → Attacker explores the network (BloodHound, Recon)
  → Collects credentials (Mimikatz, Kerberoasting)
  → Establishes persistence (WMI, Scheduled Tasks, Golden Ticket)
  → Data exfiltration: slow, under the radar

Why SIEM/EDR alone is not enough:
  → APTs use Living-Off-the-Land: no malware → no signature
  → Signature evasion: packers, encoders, polymorphism
  → Zero-days: no patch, no signature
  → Misconfigurations: no signature possible
  → Fear of false positives: detection threshold too high

Hunting approach:
  "What would an attacker DO in our environment?"
  → Hypothesis → Search → Analysis → Findings or New Hypothesis

Hunting Methodologies

1. Hypothesis-Driven Hunting:

Starting point: MITRE ATT&CK;
  → Choose a technique: T1059.001 (PowerShell)
  → Hypothesis: "Attacker uses PowerShell for lateral movement"
  → Hunt: What PowerShell activities are unusual in our network?

Example Hypothesis:
  "Attacker has credentials and uses pass-the-hash for SMB lateral movement"
  → Search Questions:
    → Which workstations are connecting to other workstations via SMB?
    → (Normal: only file servers!)
    → Are there NTLM authentication events from unusual sources?
    → Have new admin sessions been created on servers?

2. Intel-Driven Hunting:

Starting Point: Threat Intelligence
  → New TI: "Lazarus uses TTP X in the banking sector"
  → Question: "Do we have traces of TTP X in our environment?"
  → Hunt: specifically for IOCs and TTPs of this group

Example:
  → TI Report: Attacker uses C2 on port 8080 with JA3: abc123
  → Hunt in SSL logs: "Is JA3 abc123 present in our environment?"
  → Hunt in proxy logs: "Port 8080 to external IPs?"

3. Situational Awareness Hunting:

Starting point: Baseline
  → Document normal environment
  → Hunt: What deviates from the baseline?
  → Focus on: Incidents, penetration tests, system changes

Example:
  → Baseline: 5 DNS requests/minute per workstation
  → Hunt: Which hosts have >50 DNS requests/minute?
  → Result: DNS tunneling or excessive beacon frequency?

Tools for Threat Hunting

Velociraptor (Endpoint Artifact Collection):

Installation (Server + Client):
  # Server (Linux):
  wget https://github.com/Velocidex/velociraptor/releases/latest/.../velociraptor-linux-amd64
  ./velociraptor config generate -i  # Interactive Setup
  ./velociraptor --config server.config.yaml frontend -v

  # Deploy client (Windows):
  # Velociraptor GUI → Deployments → Generate Client MSI
  # Silent deployment via GPO/SCCM

VQL (Velociraptor Query Language) for hunting:
  # All running processes with network connections:
  SELECT Name, Pid, CommandLine,
    { SELECT LocalAddress, RemoteAddress, Status FROM connections() WHERE Pid = ProcInfo.Pid }
    AS Network
  FROM process_tracker_all()
  WHERE Network

  # PowerShell executions from the last 24 hours:
  SELECT *
  FROM Artifact.Windows.EventLogs.PowerShell.ISEScriptBlockLogging()
  WHERE Timestamp > now() - 86400

  # Scheduled Tasks with suspicious commands:
  SELECT *
  FROM Artifact.Windows.System.ScheduledTasks()
  WHERE Command =~ "(powershell|cmd|wscript|cscript|mshta)"

  # Registry persistence:
  SELECT *
  FROM Artifact.Windows.Registry.RunKeys()
  WHERE Data =~ "(http|.exe|powershell|cmd)"

KAPE (Kroll Artifact Parser and Extractor):
  # Forensic triage without a full image:
  # Collects: Registry hives, event logs, prefetch, LNK, $MFT
  kape.exe --tsource C: --tdest C:\KAPEOutput \
    --target RegistryHives,EventLogs,Prefetch,LNKFiles

  # Targets (what is collected):
  # Modules (how it is analyzed):
  kape.exe --msource C:\KAPEOutput \
    --mdest C:\KAPEParsed \
    --module EvtxECmd,RECmd,LECmd

Sigma Rules (Detection-as-Code):
  # Sigma: SIEM-agnostic detection rules
  # Conversion to SIEM query:

  # sigma-cli convert:
  sigma convert -t splunk -p ecs-windows \
    rules/windows/process_creation/proc_creation_win_powershell_download.yml

  # Output (Splunk):
  source="WinEventLog:Security" EventCode=4688
  (CommandLine="*IEX*" CommandLine="*DownloadString*")

  # Example Sigma Rule (YAML):
  title: PowerShell Download Cradle
  id: a7a...
  status: stable
  logsource:
    category: process_creation
    product: windows
  detection:
    selection:
      CommandLine|contains|all:
        - 'IEX'
        - 'DownloadString'
    condition: selection
  falsepositives:
    - Legitimate management scripts
  level: high

Practical Hunt Examples

Hunt 1: Finding Kerberoasting Traces:

Hypothesis: "Attacker performed Kerberoasting and compromised SPN accounts"

Data source: Windows Security Event Log (DC)
Event ID 4769: Kerberos Service Ticket Request

Search in Splunk:
  index=windows EventCode=4769 TicketOptions="0x40810000"
  ServiceName!="$*"  # No computer accounts
  | stats count by Account_Name, ServiceName, Client_Address
  | sort -count
  | where count > 5  # Many TGS requests = Kerberoasting!

Analysis:
  → Normal behavior: few TGS requests per account
  → Kerberoasting: 100+ TGS requests for many SPNs in a short time
  → If an account suddenly queries many SPNs → Alert

Hunt 2: Living-Off-the-Land Detection:

Hypothesis: "Attacker uses native Windows tools for post-exploitation"

LOLBin Abuse Search (Sysmon Event ID 1):
  index=sysmon EventCode=1
  (
    (ParentImage="*\\winword.exe" Image="*\\powershell.exe") OR
    (ParentImage="*\\excel.exe" Image="*\\cmd.exe") OR
    (Image="*\\mshta.exe" CommandLine="*http*") OR
    (Image="*\\regsvr32.exe" CommandLine="*/i:http*")
  )
  | table _time, Computer, User, Image, CommandLine, ParentImage

  Red Flags:
  → Office app spawns PowerShell/CMD → Macro malware!
  → mshta.exe with HTTP parameter → Phishing
  → regsvr32 with Internet URL → Squiblydoo

Hunt 3: Exfiltration Detection:

Hypothesis: "Data is being exfiltrated via DNS"

DNS Log Analysis (Zeek):
  # Average subdomain length per domain:
  cat dns.log | zeek-cut query | \
    awk -F'.' '{print NF, length($1), $0}' | \
    sort -rn | head -50
  # Long first labels = suspicious (Base64 data!)

  # High query frequency to a domain:
  cat dns.log | zeek-cut query | \
    awk -F'.' '{for(i=NF-1;i<=NF;i++) printf "%s.",$i; print ""}' | \
    sort | uniq -c | sort -rn | head -20
  # > 1000 queries to a domain in a short period of time = suspicious

Hunting Workflow and Documentation

Structured Hunting Process:

TaHiTI (Targeted Hunting integrating Threat Intelligence):
  → Framework for structured threat hunting
  → ENISA recommendation for SOCs

Steps:
  1. Trigger:       What initiates the hunt? (TI, alert, routine)
  2. Hunting Scope: Which systems, which time period?
  3. Hypothesis:     What are we looking for? Why?
  4. Hunt:          Execute queries, analyze data
  5. Findings:      What was found?
  6. Response:      Incident? New detection rule?
  7. Documentation: Write hunt report

Hunt Report Template:
  Hunt ID:          HUNT-2026-042
  Date:            2026-03-04
  Hunter:           Max Müller
  Trigger:          Routine (monthly hunt)
  Hypothesis:        "Kerberoasting performed in the domain"
  TTPs:             MITRE T1558.003
  Data sources:     DC Security Events (4769)
  Timeframe:         Last 30 days
  Findings:         No anomalies found → Baseline OK
  New Rules:        Sigma rule added for >10 TGS requests/min
  Duration:            2 hours

KPIs for Threat Hunting:
  □ Hunts per month: Target ≥ 4 (at least 1/week)
  □ True Positive Rate: % of hunts that found real threats
  □ MTTD reduction: How much earlier are threats detected?
  □ New Detection Rules: How many new rules resulted from hunts?
  □ Dwell Time: Has the average dwell time decreased?

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation