Go hunting before moving to reading resources.

Opening Framing: Beyond Reactive Defense

Alerts catch known threats. But what about threats that don't trigger alerts? Sophisticated attackers evade detection. They use legitimate tools, blend with normal traffic, and avoid obvious malware. Automated detection misses them.

Threat hunting is the answer. Instead of waiting for alerts, hunters proactively search for evidence of compromise. They start with a hypothesis about attacker behavior and look for evidence that proves or disproves it.

This week covers hunting methodology, hypothesis development, hunting techniques, and how to turn hunt findings into improved detection.

Key insight: Hunting assumes breach. The question isn't "are we compromised?" but "where is the evidence of compromise hiding?"

1) Threat Hunting Fundamentals

Understanding what makes hunting different from monitoring:

Hunting vs. Monitoring:

Monitoring (Reactive):
- Waits for alerts
- Rule-based detection
- Automated
- Known threats
- High volume, low touch

Hunting (Proactive):
- Seeks evidence
- Hypothesis-based
- Human-driven
- Unknown threats
- Low volume, high touch

They complement each other:
- Monitoring catches known threats at scale
- Hunting finds threats monitoring misses
- Hunt findings improve monitoring

Hunt Maturity Model:

HMM0 - Initial:
- No hunting capability
- Purely reactive
- Limited data collection

HMM1 - Minimal:
- Some ad-hoc hunting
- Relies on IOC searches
- Limited methodology

HMM2 - Procedural:
- Documented procedures
- Regular hunting cadence
- Some hypothesis-based hunts

HMM3 - Innovative:
- Custom tools and techniques
- Threat intel driven
- Creates new detection methods

HMM4 - Leading:
- Automated hunt processes
- Original research
- Contributes to community

Most organizations: HMM1-HMM2
Goal: Progress toward HMM3

Requirements for Hunting:

Data:
- Comprehensive log collection
- Endpoint telemetry (EDR)
- Network visibility
- Historical retention

Tools:
- SIEM with flexible queries
- EDR with hunting capability
- Network analysis tools
- Custom scripts

Skills:
- Deep technical knowledge
- Attacker mindset
- Pattern recognition
- Query language proficiency

Time:
- Dedicated hunting time
- Not interrupt-driven
- Allows deep investigation

Key insight: You can't hunt what you can't see. Data collection and retention are prerequisites for effective hunting.

2) Hypothesis-Driven Hunting

Effective hunts start with a hypothesis:

Hypothesis Structure:

"If [threat actor/technique] is present in our environment,
we would expect to see [observable evidence]."

Example hypotheses:

1. "If attackers are using PowerShell for execution,
    we would see encoded command lines or unusual
    PowerShell parent processes."

2. "If data exfiltration is occurring,
    we would see large outbound transfers to
    unusual destinations outside business hours."

3. "If credential theft has occurred,
    we would see authentication from unusual
    locations or impossible travel patterns."

4. "If lateral movement is happening,
    we would see admin tools like PsExec or
    WMI being used from non-admin systems."

Hypothesis Sources:

Threat Intelligence:
- "APT29 uses scheduled tasks for persistence"
- Hunt: Scheduled tasks created recently
- Focus: Non-standard locations, encoded commands

ATT&CK Techniques:
- T1053.005: Scheduled Task/Job
- Hunt: schtasks.exe execution
- Look for: Unusual task names, paths, triggers

Recent Incidents:
- "We saw attackers use service creation"
- Hunt: New services across environment
- Check: Services not in baseline

Industry Reports:
- "Healthcare sector seeing Ryuk ransomware"
- Hunt: Ryuk IOCs and TTPs
- Look for: Precursor malware (TrickBot, BazarLoader)

Anomalies Observed:
- "Spike in DNS queries to rare TLDs"
- Hunt: What's generating these queries?
- Investigate: Process and destination

The Hunting Loop:

    ┌────────────────────────────────────────┐
    │                                        │
    ▼                                        │
┌──────────┐                                 │
│Hypothesis│ ← What are we looking for?      │
└────┬─────┘                                 │
     ↓                                       │
┌──────────┐                                 │
│ Collect  │ ← Gather relevant data          │
└────┬─────┘                                 │
     ↓                                       │
┌──────────┐                                 │
│ Analyze  │ ← Search for evidence           │
└────┬─────┘                                 │
     ↓                                       │
┌──────────┐                                 │
│ Evaluate │ ← What did we find?             │
└────┬─────┘                                 │
     │                                       │
     ├─→ Finding! → Investigate → Respond    │
     │                                       │
     └─→ No finding → Refine hypothesis ─────┘
         or → Improve detection

Key insight: A hunt without a hypothesis is just browsing logs. Hypotheses focus effort and make hunts measurable.

3) Hunting Techniques

Multiple approaches to find hidden threats:

Searching (IOC-based):

Look for known bad indicators:

# Search for known malicious hash
index=edr file_hash IN (watchlist_hashes)

# Search for known C2 domain
index=dns query IN (watchlist_domains)

# Search for known attacker IP
index=firewall dest_ip IN (watchlist_ips)

Limitations:
- Only finds known threats
- IOCs change frequently
- Reactive, not proactive

Best for:
- Validating threat intel
- Checking for known campaigns
- Quick sweeps after new intel

Clustering (Pattern-based):

Group similar activities, look for anomalies:

# Group processes by parent
index=edr event_type=process_start
| stats count by parent_process, process
| sort -count

# Group network connections by destination
index=firewall action=allow
| stats sum(bytes) as total_bytes by dest_ip
| sort -total_bytes

# Group authentications by source
index=windows EventCode=4624
| stats count dc(user) as unique_users by src_ip
| where unique_users > 5

Look for:
- Outliers in clusters
- Unexpected groupings
- Rare combinations

Stacking (Frequency Analysis):

Find rare events that might be malicious:

# Rare processes across environment
index=edr event_type=process_start
| stats count by process_name
| where count < 5

# Rare outbound destinations
index=firewall direction=outbound
| stats count by dest_ip
| where count < 10

# Rare scheduled tasks
index=windows EventCode=4698
| stats count by task_name
| where count = 1

Principle: Attackers do unusual things
Rare ≠ malicious, but warrants investigation

Behavioral Analysis:

Look for suspicious behavior patterns:

# PowerShell with encoded commands
index=windows EventCode=4104
| search "*-enc*" OR "*-encoded*"

# Process running from temp directories
index=edr event_type=process_start
| where match(process_path, "(?i)\\\\(temp|tmp)\\\\")

# Admin tools from non-admin systems
index=edr process_name IN ("psexec.exe","wmic.exe")
| where NOT match(host, "admin-*")

# Network connections from unusual processes
index=edr event_type=network_connection
| where process_name IN ("notepad.exe","calc.exe")

Focus: What attackers DO, not what files they use

Key insight: Combine techniques. Searching finds known threats, stacking finds rare events, behavioral analysis finds suspicious actions.

4) ATT&CK-Based Hunting

MITRE ATT&CK provides structured hunting guidance:

Using ATT&CK for Hunt Planning:

1. Select relevant techniques
   - Based on threat intel
   - Based on gaps in detection
   - Based on high-impact techniques

2. Understand the technique
   - How does it work?
   - What variations exist?
   - What artifacts does it leave?

3. Identify data sources
   - What logs capture this?
   - Do we collect them?
   - What fields are relevant?

4. Develop hunt query
   - Translate technique to query
   - Account for variations
   - Reduce false positives

5. Execute and analyze
   - Run query
   - Review results
   - Investigate anomalies

Example: Hunting T1059.001 (PowerShell):

Technique: T1059.001 - Command and Scripting Interpreter: PowerShell

Attacker use:
- Download and execute payloads
- Run encoded commands
- Bypass execution policies

Data sources:
- Windows PowerShell logs (4103, 4104)
- Process creation (Sysmon 1, Security 4688)
- Script block logging

Hunt queries:

# Encoded commands
index=windows source="WinEventLog:Microsoft-Windows-PowerShell*"
| search "*-enc*" OR "*FromBase64String*"

# Download cradles
index=windows source="WinEventLog:Microsoft-Windows-PowerShell*"
| search "*WebClient*" OR "*DownloadString*" OR "*Invoke-WebRequest*"

# Unusual parent processes
index=sysmon EventCode=1 Image="*powershell.exe"
| stats count by ParentImage
| where NOT match(ParentImage, "(explorer|cmd|services)")

# PowerShell network connections
index=sysmon EventCode=3 Image="*powershell.exe"
| stats count by DestinationIp, DestinationPort

High-Value Techniques to Hunt:

Initial Access:
- T1566: Phishing (email with attachments/links)
- T1078: Valid Accounts (compromised credentials)

Execution:
- T1059: Command and Scripting Interpreter
- T1053: Scheduled Task/Job

Persistence:
- T1547: Boot or Logon Autostart
- T1543: Create or Modify System Process

Credential Access:
- T1003: OS Credential Dumping
- T1558: Steal or Forge Kerberos Tickets

Lateral Movement:
- T1021: Remote Services
- T1570: Lateral Tool Transfer

Exfiltration:
- T1041: Exfiltration Over C2 Channel
- T1567: Exfiltration Over Web Service

Key insight: ATT&CK provides a common language and framework for hunting. It ensures comprehensive coverage and facilitates sharing hunt findings.

5) Documenting and Operationalizing Hunts

Hunts should produce lasting value:

Hunt Documentation:

Hunt Report Template:

1. Hunt Overview
   - Hypothesis
   - Timeframe
   - Data sources used
   - Techniques covered (ATT&CK)

2. Methodology
   - Queries executed
   - Tools used
   - Analysis approach

3. Findings
   - What was discovered
   - True positives
   - Interesting anomalies
   - False positive patterns

4. Recommendations
   - Detection rules to create
   - Visibility gaps to address
   - Process improvements

5. Metrics
   - Time spent
   - Systems/users covered
   - Findings by category

From Hunt to Detection:

Convert successful hunts to automated detection:

Hunt finding:
"Found 3 instances of PowerShell downloading
content using WebClient from unusual parent processes"

Detection rule:
alert any where
  process.name == "powershell.exe" and
  process.command_line contains "WebClient" and
  process.parent.name not in ("explorer.exe", "cmd.exe")

Benefits:
- Future occurrences automatically detected
- Hunting effort has lasting value
- Detection coverage improves

Document why the rule exists:
- Link to hunt report
- ATT&CK technique
- Expected false positives

Building a Hunt Program:

Hunt Program Elements:

Cadence:
- Regular scheduled hunts (weekly/monthly)
- Ad-hoc hunts based on intel
- Post-incident hunts

Coverage tracking:
- Which techniques have been hunted?
- When was each last hunted?
- What's the gap?

Metrics:
- Hunts conducted
- Hours spent
- Findings discovered
- Rules created
- Coverage improvement

Maturation:
- Document successful hunt queries
- Build query library
- Automate repeatable hunts
- Train new hunters

Key insight: A hunt that doesn't result in improved detection or documented knowledge is a missed opportunity.

Real-World Context: Hunting in Practice

Threat hunting catches what automation misses:

Living Off the Land: Attackers use legitimate tools (PowerShell, WMI, PsExec) that don't trigger antivirus. Hunting looks for suspicious USE of legitimate tools.

Dwell Time Reduction: Industry average dwell time (time from compromise to detection) is months. Hunting finds attackers faster by actively searching rather than waiting for alerts.

Detection Engineering: Hunt findings become detection rules. The best detection engineers are hunters who understand what real attacks look like in data.

MITRE ATT&CK Application:

• Coverage Mapping: Which techniques can we hunt for?
• Gap Identification: Which techniques have no coverage?
• Hunt Prioritization: Focus on high-impact gaps

Key insight: Hunting is how you find attackers who are trying not to be found. It requires skill, time, and the right data.

Guided Lab: Hypothesis-Driven Hunt

Practice developing and executing a threat hunt.

Step 1: Develop Hypothesis

Based on this threat intel:

"APT group targeting financial sector uses
scheduled tasks for persistence. Tasks are
created with encoded PowerShell commands
and run from C:\Windows\Temp."

Write your hypothesis:
"If [this threat] is present, we would see..."

Identify:
- What technique? (ATT&CK ID)
- What data source needed?
- What would be suspicious vs. normal?

Step 2: Design Hunt Queries

Create queries to test your hypothesis:

Query 1: Find all scheduled task creations
(What would this look like in your SIEM?)

Query 2: Filter for tasks with PowerShell
(How do you narrow to suspicious ones?)

Query 3: Look for encoded commands
(What patterns indicate encoding?)

Query 4: Check execution location
(How do you filter by path?)

Step 3: Analyze Results

For each result:
- Is this expected/normal?
- Is this suspicious?
- What additional context needed?

Document:
- Total results
- Clear false positives
- Needs investigation
- Confirmed malicious

Step 4: Create Detection Rule

Based on your hunt, create a detection rule:

Rule name:
Description:
ATT&CK technique:
Query/logic:
Severity:
Response actions:

Reflection (mandatory)

1. How did the hypothesis focus your hunt?
2. What would you do differently next time?
3. What data gaps did you discover?
4. How would you prioritize findings for investigation?

Week 10 Outcome Check

By the end of this week, you should be able to:

• Explain threat hunting and how it differs from monitoring
• Develop hunting hypotheses from various sources
• Apply hunting techniques (searching, stacking, behavioral)
• Use ATT&CK to structure hunting activities
• Document hunt findings and create detection rules
• Understand requirements for a hunting program

Next week: Automation and Playbooks—scaling security operations through orchestration and automation.

🎯 Hands-On Labs (Free & Essential)

Go hunting before moving to reading resources.

💡 Lab Tip: Start with a clear hypothesis and define what evidence would confirm it.

🛡️ Container Security for SOC Analysts

Containers change the hunt surface. Analysts need to understand what "normal" looks like in containerized environments.

Container defense focus:
- Harden runtime (seccomp, AppArmor, read-only FS)
- Limit capabilities and privileged containers
- Monitor container image provenance
- Watch for escape indicators and host tampering

📚 Building on CSY102: Process isolation and service hardening fundamentals.

Resources

Complete the required resources to build your foundation.

• ThreatHunting.net - Hunting Resources · 45-60 min · 50 XP · Resource ID: csy201_w10_r1 (Required)
• Threat Hunter Playbook · 60-90 min · 50 XP · Resource ID: csy201_w10_r2 (Required)
• Sigma Rules (Detection as Code) · Reference · 25 XP · Resource ID: csy201_w10_r3 (Optional)

Lab: Complete Threat Hunt

Goal: Plan, execute, and document a complete threat hunt from hypothesis to detection rule.

Part 1: Hunt Planning

1. Select a technique from ATT&CK (choose one):
   • T1053.005 - Scheduled Task
   • T1059.001 - PowerShell
   • T1003.001 - LSASS Memory
   • T1021.002 - SMB/Windows Admin Shares
2. Research the technique thoroughly
3. Document:
   • Hypothesis
   • Required data sources
   • Expected false positive sources

Part 2: Query Development

1. Write 3-5 hunt queries for your technique
2. Include queries in multiple formats:
   • Splunk SPL
   • Elastic KQL or Sentinel KQL
3. Document expected results

Part 3: Hunt Execution

1. Execute queries against sample data or lab environment
2. Document findings:
   • Total results
   • False positives identified
   • Anomalies requiring investigation
   • Confirmed findings

Part 4: Detection Engineering

1. Create detection rule from hunt
2. Write in Sigma format
3. Document false positive handling
4. Specify response actions

Deliverable (submit):

• Hunt planning document with hypothesis
• Hunt queries with documentation
• Hunt findings report
• Sigma detection rule
• Lessons learned summary

Checkpoint Questions

1. How does threat hunting differ from security monitoring?
2. What are the components of a hunting hypothesis?
3. What is "stacking" in threat hunting?
4. Why is ATT&CK useful for threat hunting?
5. How should hunt findings be operationalized?
6. What data requirements exist for effective hunting?

Week 10 Quiz

Test your understanding of threat hunting methods, hypotheses, and operationalization.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned threat hunting—proactively searching for threats that evade automated detection. You developed hypotheses, wrote queries, and considered how to build a hunting program.

Reflect on these questions:

• Hunting requires dedicated time away from alert queues. How would you justify hunting time to management?
• Many organizations have data but don't hunt effectively. What prevents effective hunting and how would you address it?
• How does the "assume breach" mindset change your approach to security operations?
• What skills would you need to develop to become an effective threat hunter?

A strong reflection will consider the organizational and skill challenges of building hunting capability.

Verified Resources & Videos

• Hunt Queries: Elastic Detection Rules
• Hunting Techniques: Red Team Tools (know what to hunt for)
• MITRE ATT&CK: Enterprise Techniques

Threat hunting is an advanced skill that separates reactive defenders from proactive ones. The methodology you've learned— hypothesis development, technique-based hunting, finding to detection conversion—provides a foundation for continuous improvement. Next week: automation to scale these capabilities.