0) What Threat Hunting is (and isn’t)

Threat hunting is a proactive, hypothesis-driven search for unknown or currently undetected adversary activity across endpoint, identity, network, cloud, and SaaS.
It is not alert triage. Triage starts from a detection; hunting starts from a question:

“If an attacker used T1059 PowerShell to pull creds and pivot via RDP, what traces would exist in our logs right now?”

Hunting outputs are:

• Findings (confirmed/likely benign),

• New detections (SIEM/XDR rules, Sigma),

• Data/visibility gaps to fix,

• Playbooks to automate next time.

1) Prereqs: Data, Access, and Baselines

Minimum data plane

• Endpoint: EDR/OS telemetry (process/start/stop, parent/child, command-line, module loads), Sysmon (1, 3, 7, 8, 10, 11, 13, 22, 23, 24, 25).

• Identity: IdP (Okta/Azure AD) sign-ins, MFA, role/consent grants, token logs.

• Network: DNS, proxy/HTTP, NetFlow/PCAP/Zeek, TLS JA3/JA3S, egress firewall.

• Email: Secure email gateway (headers, URL/attachment verdicts), user-reported phishing.

• Cloud/SaaS: AWS CloudTrail, Azure Activity/Sign-in, GCP Audit, storage access, admin actions.

• Control plane: CMDB/asset inventory, user directory, threat intel (internal + OSINT).

Baselines to compute (and refresh weekly)

• Process ancestry (top N chains per role),

• Admin tool usage (who legitimately runs PS/WMIC/AD tools),

• Login geography & ASN per user,

• Normal egress (dest hostnames, ports),

• Service-to-service flows (for microsegmentation).

2) Method: Hypothesis → Hunt → Pivot → Outcome

1. Pick a TTP (map to ATT&CK): e.g., T1055 Process Injection.

2. Form a hypothesis tied to your telemetry:

   • “If an attacker injects into lsass.exe, we’ll see handle opens with PROCESS_VM_READ + EDR memory dump events + spike in lsass CPU.”

3. Define observables/features (fields, sequences, thresholds).

4. Query + iterate (multiple lenses: endpoint, identity, network, cloud).

5. Enrich (TI, WHOIS, GeoIP, reputation, internal context).

6. Decide outcome:

   • Escalate incident • Write detection • Tune out noise • File data gap.

7. Record in the huntbook (template below).

3) Core Hunt Patterns (with copy-paste queries)

Replace indexes/sourcetypes to match your stack. Use these as starters and tune to your environment.

A) Credential Access & Privilege Abuse

Goal: Catch theft/escalation before lateral movement.

KQL (Azure Sign-in – “impossible travel + new admin”)

SigninLogs
| extend Country=tostring(LocationDetails.countryOrRegion)
| summarize first=min(TimeGenerated), last=max(TimeGenerated),
          countries=make_set(Country, 5) by UserPrincipalName, bin(TimeGenerated, 1d)
| where array_length(countries) > 1 and datetime_diff('hour', last, first) < 2
| join kind=leftouter (
    AuditLogs
    | where OperationName has "Add member to role" or OperationName has "RoleAssignment"
    | project UserPrincipalName=tolower(parse_json(InitiatedBy).user.userPrincipalName),
              RoleOp=OperationName, RoleTime=TimeGenerated
) on UserPrincipalName

SPL (Splunk – “sudden MFA fatigue”)

index=auth (action=fail OR action=challenge OR action=success) vendor="Okta"
| timechart span=5m count by outcome
| eventstats avg(success) as baseline_success, avg(fail) as baseline_fail
| where fail > baseline_fail*3 OR challenge > 50

EQL (Elastic – LSASS access / dumping)

sequence by host.id with maxspan=2m
  [process where process.name : ("procdump.exe","rundll32.exe","comsvcs.dll") and
           process.command_line : ("*lsass*","*MiniDump*")]
  [file where file.path : ("C:\\Windows\\Temp\\*.dmp","C:\\Users\\*\\AppData\\Local\\Temp\\*.dmp")]

B) Initial Access → LOLBins / Scripted Execution

KQL (Office spawning script interpreters)

DeviceProcessEvents
| where InitiatingProcessFileName in ("WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE")
| where FileName in ("wscript.exe","cscript.exe","powershell.exe","mshta.exe","rundll32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

SPL (macro download behavior)

index=edr (parent_process=WINWORD.EXE OR parent_process=EXCEL.EXE)
    process IN (powershell.exe, cmd.exe, wscript.exe, mshta.exe)
| rex field=process_command_line "(?<url>https?://[^\\s]+)"
| stats values(url) by host, user, parent_process, process

C) Lateral Movement (PsExec / WMI / RDP)

KQL (new remote service creation – PsExec-like)

DeviceProcessEvents
| where FileName =~ "sc.exe" and ProcessCommandLine has_all ("create","binPath=")
| extend Target=extract(@"\\\\([^\\ ]+)", 1, ProcessCommandLine)
| summarize by Timestamp, DeviceName, AccountName, Target, ProcessCommandLine

SPL (suspicious RDP fan-out)

index=network dest_port=3389 action=allowed
| bucket _time span=15m
| stats dc(dest_ip) as unique_dests, values(dest_ip) as dests by src_ip, _time
| where unique_dests >= 5

D) Data Staging & Exfiltration

KQL (staging archives prior to exfil)

DeviceProcessEvents
| where FileName in ("7z.exe","rar.exe","winrar.exe","zip.exe","tar.exe")
| summarize makes=set(ProcessCommandLine) by DeviceName, AccountName, bin(Timestamp, 1h)

SPL (DNS tunneling indicators)

index=dns (qtype=TXT OR len(query)>50)
| eval dots=len(split(query,".")), entropy=urldecode(query)
| stats count avg(len(query)) as avgQLen dc(src_ip) as srcs by query
| where count>100 AND avgQLen>40

E) Cloud Control Plane Hunts

AWS CloudTrail – unusual AssumeRole

AWSCloudTrail
| where EventName == "AssumeRole" and ErrorCode == ""
| summarize cnt=count(), srcs=make_set(SourceIpAddress, 10) by UserIdentityArn, bin(TimeGenerated, 1d)
| where cnt > 5 and array_length(srcs) > 3

Azure OAuth consent / risky app

AuditLogs
| where OperationName has "Consent to application"
| extend App=tostring(TargetResources[0].displayName), Actor=tostring(InitiatedBy.user.userPrincipalName)
| summarize count() by App, Actor, bin(TimeGenerated, 1d)

GCP – service account key creation

GCPAuditLogs
| where ProtoPayload.MethodName has "google.iam.admin.v1.CreateServiceAccountKey"
| summarize by Resource.Service, ProtoPayload.AuthenticationInfo.PrincipalEmail, TimeGenerated

F) C2 & Post-Exploitation

Zeek/TLS JA3 outliers

index=zeek sourcetype=zeek:ssl
| stats count by ja3, ssl.server_name
| where count < 5 AND (ssl.server_name="-" OR isnull(ssl.server_name))

EDR beacons with sleep jitter

DeviceNetworkEvents
| where RemotePort in (80,443) and InitiatingProcessFileName !in ("chrome.exe","firefox.exe","msedge.exe")
| summarize avg_diff=avg(todouble(datetime_diff('second',
               Timestamp, prev(Timestamp,1)))),
            cnt=count() by DeviceName, InitiatingProcessFileName, RemoteIP
| where cnt>30 and avg_diff between (30 .. 120)

4) AI-Augmented Hunting (how to use ML safely)

• Unsupervised outliering for user logon time, process trees, egress volumes.

• Semi-supervised: seed from known bad → learn look-alikes.

• Feature engineering:

  • Process ratio metrics (child/parent entropy, script length, flag density),

  • Auth sequence features (fail→success windows, geo distance),

  • DNS features (label count, char entropy, unique domain fan-out).

• Tooling: Jupyter + pandas, scikit-learn, MSTICPy for TI/geo enrichment.

• Guardrails: Keep models explainable; always ship deterministic detections derived from ML findings.

5) From Hunt → Detection (Detection Engineering Pipeline)

1. Convert query to Sigma (portable YAML).

2. Back-test 30–90 days; collect FPs.

3. Add contextual filters (business apps, admin ranges).

4. Publish to SIEM/XDR; attach SOAR response.

5. Add review date (tune or retire).

Sigma example (Office → Script Launch)

title: Office Spawns Script Interpreter
id: cdb-2025-0001
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
  selection_child:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\powershell.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
  condition: selection_parent and selection_child
level: high
tags: [attack.t1204, attack.t1059]

6) Huntbook Template (copy this)

Hunt ID / Name
Hypothesis: (one sentence, falsifiable)
ATT&CK: tactics/techniques
Data: sources & fields used
Queries: KQL/SPL/EQL links
Enrichment: TI, WHOIS, asset owner
Findings: IOCs, hosts, users, timeline
Outcome: incident | new detection | gap | benign pattern
Detection Rule Link: SIEM/XDR/Sigma
Owner / Due / Review Date

7) Metrics that matter (prove value)

• Hunts/quarter & % with outcomes (incident/detection/gap).

• Detection coverage vs MITRE ATT&CK (% techniques with rules).

• Dwell time reduction for hunted families (before/after).

• Noise burn-down (alerts/day reduced by tuning).

• Mean time to first evidence in hunts (< 30 min for top TTPs).

8) 30/60/90 Hunting Program Plan

Day 0–30 (Foundations)

• Confirm telemetry coverage & retention (≥ 90 days key logs).

• Build 10 starter hunts for: phishing → initial exec, credential theft, RDP fan-out, archive staging, OAuth consent.

• Stand up huntbook, tag assets, create Purple-Team slot weekly.

Day 31–60 (Scale & Automate)

• Convert ≥ 6 hunts to detections + SOAR actions.

• Baseline identity and egress; publish “known-good” allowlists.

• Add cloud hunts (AssumeRole, key creation, public bucket drift).

Day 61–90 (Mature)

• ML outlier jobs for login patterns & DNS.

• Quarterly tabletop + back-test: measure coverage vs top 10 TTPs seen.

• Publish a “Hunt to Detect” changelog for the exec dashboard.

9) Golden Hunt Library (keep these ready)

• AitM/MFA-bombing: fail bursts → push approvals → success from new ASN.

• LSASS dump: procdump/comsvcs/rundll32 touching LSASS + temp .dmp.

• PsExec chain: PSEXESVC service creation + SMB pipes + remote cmd.

• WMI persistence: EventFilter/Consumer/Binding trio in WMI repo.

• Archive staging: 7z/rar + large write burst + new external PUT/POST.

• DNS tunnel: high TXT ratio, long/entropy labels, single host fan-out.

• OAuth abuse: risky scopes (Mail.Read, offline_access), sudden tenant-wide consent.

• S3/GCS exfil: unusual GET/PUT spikes from workstation subnets.

CyberDudeBivash Expert Take

Great hunting is disciplined curiosity: pick one TTP, look from four angles (endpoint, identity, network, cloud), prove or disprove fast, and always ship a follow-up (detection, automation, or data fix). Do this weekly, and you will force adversaries to make noise — noise you now detect at machine-speed.

Author/Brand: CyberDudeBivash • Powered by: CyberDudeBivash • © CyberDudeBivash
Hashtags: #CyberDudeBivash #ThreatHunting #ATTACK #DFIR #SIEM #XDR #SOAR #BlueTeam #PurpleTeam #AIsecurity