Traditional security relies on alerts: your SIEM or EDR fires a notification when it detects something malicious, and you respond. Threat hunting flips this model. Instead of waiting for an alert, threat hunters proactively search through data looking for signs of compromise that automated tools missed — because sophisticated attackers specifically design their techniques to avoid triggering alerts.
The dwell time problem makes hunting essential. The average attacker spends 200+ days inside a network before being detected. During that time, they’re moving laterally, escalating privileges, and exfiltrating data — all while evading automated defenses. Threat hunting is the discipline that finds them earlier.
The Threat Hunting Process
Effective threat hunting follows a cycle:
- Hypothesis generation — form a specific question about attacker behavior
- Data collection — gather relevant logs, telemetry, and artifacts
- Investigation — analyze data to confirm or deny the hypothesis
- Response — escalate confirmed findings; tune detection rules to catch it automatically next time
- Documentation — record what was found and how, to improve future hunts
The hypothesis is the starting point. Vague hunts (“let’s look for something bad”) produce nothing. Specific hypotheses (“are there signs of credential dumping using lsass.exe memory reads in the past 30 days?”) produce results.
MITRE ATT&CK as Your Hunting Framework
The MITRE ATT&CK framework is the most valuable threat hunting resource available. It catalogs hundreds of real-world attacker Tactics, Techniques, and Procedures (TTPs) organized by kill chain stage:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
Each technique has a unique ID (e.g., T1003 - OS Credential Dumping), descriptions of how attackers use it, real-world threat group examples, and detection recommendations. Visit attack.mitre.org to explore the full framework.
Generating a hypothesis from ATT&CK:
Browse to a technique relevant to your environment. For example, T1078 - Valid Accounts describes attackers using stolen credentials. Your hypothesis: “Attackers may be using valid domain accounts to authenticate during off-hours from unusual locations.” This drives a specific hunt in your authentication logs.
Data Sources for Hunting
Threat hunters work primarily with:
Windows Event Logs:
- Event ID 4624/4625 — successful/failed logons
- Event ID 4688 — process creation (requires audit policy enabled)
- Event ID 4698 — scheduled task creation
- Event ID 7045 — new service installed
- Event ID 4663 — object access
Enable command-line process auditing (Event ID 4688 includes command-line arguments) and PowerShell ScriptBlock logging (Event ID 4104) — these are required for meaningful hunting.
Sysmon (System Monitor): Free from Microsoft/Sysinternals. Sysmon logs detailed process creation (with hashes), network connections, driver loads, registry changes, and more. The Swift on Security Sysmon config is the standard starting point.
Network flow data: NetFlow, Zeek logs, or firewall logs showing connections between hosts. Essential for detecting C2 beaconing and lateral movement.
DNS logs: Attackers use DNS for C2 (DNS tunneling), data exfiltration, and domain generation algorithm (DGA) based infrastructure. Anomalous DNS query patterns are a reliable hunting signal.
EDR telemetry: Tools like CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint provide rich process, network, and file telemetry that’s far more detailed than native Windows logs.
Practical Hunt: Detecting LSASS Credential Dumping
Hypothesis: An attacker has used a credential dumping tool (Mimikatz, ProcDump, Task Manager) to dump LSASS memory.
Data source: Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe
Query (in Splunk or KQL):
// Splunk SPL
index=sysmon EventCode=10 TargetImage="*lsass.exe"
| stats count by SourceImage, SourceUser, ComputerName, GrantedAccess
| where GrantedAccess IN ("0x1FFFFF", "0x1F3FFF", "0x143A")// Microsoft Sentinel KQL
SecurityEvent
| where EventID == 10
| where TargetImage contains "lsass.exe"
| where GrantedAccess in ("0x1FFFFF", "0x1F3FFF", "0x143A")
| summarize count() by InitiatingProcessName, Account, ComputerThe GrantedAccess values above are common access masks used by dumping tools. Legitimate Windows processes that access LSASS (Windows Defender, AV) have known access masks and source paths — filter these out and investigate the remainder.
Practical Hunt: Detecting Beaconing C2
Malware often connects to a command-and-control server at regular intervals (beaconing). This produces a distinctive pattern in network logs.
Hypothesis: A compromised host is beaconing to a C2 server every N seconds.
Analysis approach:
import pandas as pd
from datetime import datetime
# Load DNS or NetFlow logs
df = pd.read_csv('dns_logs.csv')
# Group connections by source IP and destination domain
# Calculate time deltas between connections
connections = df.groupby(['src_ip', 'dst_domain'])
for (src, dst), group in connections:
if len(group) < 5:
continue
times = pd.to_datetime(group['timestamp']).sort_values()
deltas = times.diff().dropna()
# Low standard deviation = regular beaconing
std = deltas.dt.total_seconds().std()
mean = deltas.dt.total_seconds().mean()
if std < 30 and mean < 300: # Very regular, < 5 min interval
print(f"Potential beacon: {src} -> {dst} every ~{mean:.0f}s (±{std:.0f}s)")Low standard deviation in connection timing is the statistical signature of a beaconing implant.
Hunting Tools
Velociraptor: Open-source endpoint forensics and threat hunting platform. Deploy agents across your fleet and run VQL (Velociraptor Query Language) hunts across all endpoints simultaneously. Outstanding for checking persistence mechanisms, recent file changes, and memory artifacts.
KAPE (Kroll Artifact Parser and Extractor): Collects forensic artifacts from endpoints (browser history, registry hives, event logs, prefetch) in minutes. Pair with Eric Zimmerman’s tools for rapid analysis.
DeepBlueCLI: PowerShell script that parses Windows event logs for known attack patterns — credential spraying, Mimikatz, service creation, and more. Excellent for quick triage on a single system.
Chainsaw: Rust-based tool for rapid forensic analysis of Windows event logs using Sigma rules and regex patterns. Blazing fast on large log sets.
Turning Hunt Findings into Detection Rules
Every successful hunt should end with a new detection rule. If you found LSASS access via a process you didn’t have alerting for, write a Sigma rule for it:
title: Suspicious LSASS Access from Unknown Process
id: 3e4a...
status: experimental
description: Detects access to LSASS memory from processes not commonly seen
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1FFFFF'
- '0x1F3FFF'
filter:
SourceImage|contains:
- 'MsMpEng.exe'
- 'csrss.exe'
condition: selection and not filter
level: highThis converts a manual hunt into an automated detection — ensuring you’ll catch it automatically next time while freeing hunters to investigate new hypotheses.
Building a Threat Hunting Practice
Start with ATT&CK’s most common techniques for your industry, generate one hypothesis per week, and document everything. Over months, this builds a library of hunts that systematically covers your attack surface. The goal is not to find something every hunt — a clean hunt is still valuable, confirming your environment is clear of that technique today.