Threat hunting is the proactive, iterative search for adversaries that have evaded existing security controls. Unlike reactive alert-driven investigation, hunting assumes the adversary is already present and seeks to find evidence of their activity.

Why Threat Hunting Matters

Traditional security operations rely on alerts generated by detection rules. This approach has fundamental limitations:

  • Alert fatigue: SOC teams are overwhelmed by false positives
  • Detection gaps: Novel techniques bypass existing rules
  • Dwell time: Attackers operate undetected for weeks or months
  • Reactive posture: Defenders always playing catch-up

Threat hunting addresses these limitations by proactively searching for indicators of compromise and attack behaviors.

The Hunting Process

1. Hypothesis Generation

Every hunt begins with a hypothesis about adversary behavior. Sources for hypotheses include:

  • Threat intelligence: Reports on active campaigns and TTPs
  • MITRE ATT&CK: Technique coverage gaps in your detections
  • Environmental knowledge: Understanding of your crown jewels and attack surface
  • Anomaly analysis: Unusual patterns in baseline data

Example hypothesis: “Adversaries are using PowerShell remoting for lateral movement in our environment.”

2. Tool and Data Selection

Identify the data sources and tools needed to test your hypothesis:

Data Sources:

  • Endpoint telemetry (EDR, Sysmon)
  • Network flow data (NetFlow, Zeek)
  • Authentication logs (Active Directory, identity providers)
  • Application logs (web servers, databases)
  • Cloud audit logs (CloudTrail, Azure Activity Log)

Tools:

  • SIEM platform for log analysis
  • EDR console for endpoint investigation
  • Network analysis tools (Wireshark, Zeek)
  • Threat intelligence platforms

3. Investigation

Execute your hunt using appropriate techniques:

Query-Based Hunting: Search for specific indicators or patterns:

# Example: Hunt for PowerShell remoting
index=wineventlog EventCode=4104
| search ScriptBlockText="*Enter-PSSession*" OR ScriptBlockText="*Invoke-Command*"
| stats count by Computer, User, ScriptBlockText

Stack Counting: Identify outliers by counting occurrences:

# Find rare parent-child process relationships
index=edr
| stats count by parent_process_name, process_name
| where count < 5

Visualization: Graph relationships to identify suspicious patterns:

  • Network connection graphs
  • Process trees
  • Authentication flows

4. Documentation

Document findings regardless of whether you find malicious activity:

  • Hypothesis tested
  • Data sources used
  • Queries executed
  • Results and conclusions
  • Recommendations (new detections, visibility gaps)

Hunting Use Cases

Persistence Mechanisms

Hunt for unauthorized persistence:

  • Scheduled tasks created by unusual processes
  • Services with suspicious executable paths
  • Registry run keys modifications
  • WMI event subscriptions
  • Startup folder additions

Lateral Movement

Detect movement between systems:

  • Remote service creation (PsExec patterns)
  • WMI remote process execution
  • Windows Remote Management usage
  • RDP connections from unexpected sources
  • Pass-the-hash and pass-the-ticket indicators

Data Exfiltration

Identify data theft:

  • Large outbound transfers to uncommon destinations
  • Cloud storage uploads (Dropbox, Google Drive)
  • DNS tunneling patterns
  • Encrypted channels to suspicious domains

Credential Access

Find credential theft:

  • LSASS memory access by non-standard processes
  • SAM database access
  • DCSync activity
  • Kerberoasting patterns
  • Credential dumping tool artifacts

Building a Hunting Program

Team Structure

Dedicated hunters vs. rotation model:

  • Dedicated team: Deep expertise but limited scale
  • Rotation: Broader coverage but requires training investment
  • Hybrid: Core hunting team supplemented by rotating analysts

Measuring Success

Track hunting program metrics:

  • Hunts completed per period
  • Threats discovered
  • Detection coverage improvements
  • Time to detection improvements
  • Visibility gaps identified

Operationalizing Findings

Turn hunting discoveries into lasting improvements:

  1. Create detection rules for discovered techniques
  2. Improve logging coverage for blind spots
  3. Update incident response playbooks
  4. Share intelligence with peers and ISACs

Tools of the Trade

Commercial

  • CrowdStrike Falcon OverWatch
  • Microsoft Defender Threat Hunting
  • Carbon Black Threat Hunting
  • Elastic Security

Open Source

  • HELK (Hunting ELK)
  • Sigma rules
  • YARA rules
  • Atomic Red Team (for testing)

Getting Started

  1. Start with known-bad: Hunt for publicly documented threat actor TTPs
  2. Build foundational queries for common techniques
  3. Develop baselines for normal behavior
  4. Practice regularly, even when nothing is found
  5. Share findings to build organizational knowledge