Proactive Threat Hunting

Module 03 · Threat Hunting

Proactive Threat Hunting

Automated detection catches known threats. Threat hunting finds the adversaries that already bypassed your defenses and are living inside your network undetected.

Median attacker dwell time: 16 days. Threat hunting programs reduce dwell time by 2-3x by actively searching for indicators of compromise.

Fundamentals

Hunting vs Detection

Aspect	Automated Detection	Threat Hunting
Approach	Reactive — alerts fire on known signatures	Proactive — analyst-driven investigation
Coverage	Known threats with existing rules	Unknown threats, novel TTPs, living-off-the-land
Trigger	SIEM rule, EDR alert, IOC match	Hypothesis, threat intel, anomaly
Output	Alert for triage	New detections, improved visibility, hardened defenses
Skill level	L1-L2 analyst can triage	Requires senior analysts with deep adversary knowledge

Detection and hunting are complementary. Every successful hunt should produce new automated detections.

Methodology

Hypothesis-Driven Hunting

Step 1

Form a hypothesis — Based on threat intel, recent incidents, or MITRE ATT&CK techniques. Example: "An attacker may be using scheduled tasks for persistence on our domain controllers."

Step 2

Identify data sources — What telemetry do you need? Windows Event Logs (4698, 4702), Sysmon events, EDR process creation logs. Validate you actually collect this data.

Step 3

Investigate — Query across your environment. Look for anomalies: unusual scheduled task names, tasks created by unexpected users, tasks running encoded PowerShell.

Step 4

Respond & automate — If you find malicious activity, escalate to IR. If not, convert your hunt query into a permanent detection rule. Either way, document findings.

Framework

MITRE ATT&CK Mapping

Initial Access

T1566 / T1190

Hunt for phishing artifacts, exploitation of public-facing applications. Check web server logs for anomalous requests, email gateway for bypassed payloads.

Persistence

T1053 / T1547

Scheduled tasks, registry run keys, startup folders. Baseline what's normal, then find deviations across the fleet.

Lateral Movement

T1021 / T1550

Remote services, pass-the-hash, pass-the-ticket. Hunt for unusual SMB/RDP/WinRM connections between workstations.

Map your hunts to ATT&CK techniques to track coverage gaps. Use the ATT&CK Navigator to visualize which techniques you've hunted for and which remain blind spots.

Telemetry

Data Sources for Hunting

Endpoint

EDR & host logs

Process creation trees, file writes, registry modifications, loaded DLLs, network connections per process. EDR is your highest-fidelity source for adversary behavior.

Network

Traffic & DNS

NetFlow, DNS query logs, proxy logs, TLS certificate metadata. Hunt for beaconing patterns, DGA domains, data exfiltration over DNS tunneling.

Identity

Authentication logs

Failed/successful logons, service account usage, privilege escalation events, impossible travel. Active Directory is the crown jewel attackers target.

Cloud

API & audit trails

CloudTrail, Azure Activity Logs, GCP Audit Logs. Hunt for unusual API calls, cross-account access, IAM policy changes, data plane anomalies.

Maturity Model

Measuring Hunting Maturity

Level	Description	Indicators
HM0	Initial — Relies entirely on automated alerts	No dedicated hunting, reactive only
HM1	Minimal — Ad-hoc hunts using IOC searches	Occasional hunts, no formal process
HM2	Procedural — Documented hunt playbooks, regular cadence	Weekly hunts, hypothesis-driven, ATT&CK-aligned
HM3	Innovative — Custom tooling, original research	Data science techniques, ML-assisted anomaly detection
HM4	Leading — Automated hunt workflows, threat intel-driven	Hunts generate org-specific detections, continuous improvement loop

Most organizations are at HM0-HM1. Reaching HM2 with consistent, documented hunts is the most impactful step you can take.

Team & Tools

Building a Hunting Team

People

Skill requirements

Deep OS internals knowledge (Windows/Linux), network protocol analysis, scripting (Python, KQL, SPL), adversary tradecraft understanding. Start with 1-2 senior analysts dedicated to hunting.

Tools

Hunting stack

SIEM/data lake (Splunk, Elastic, Sentinel), EDR console, Jupyter notebooks for analysis, MITRE ATT&CK Navigator, Sigma rules for cross-platform detections.

Remember this

Threat hunting is a skill, not a product. No tool will hunt for you. Invest in training your analysts to think like adversaries.

Every hunt should produce one of three outputs: a new detection rule, a visibility gap to fix, or confirmed malicious activity escalated to IR.

Track hunt metrics: hypotheses tested, new detections created, mean time to detect improvement, and coverage across ATT&CK techniques.

1 / 7