Threat Hunting


Threat hunting doesn’t have to be complex, but it’s not for everyone. Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt. If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for. Hunting is a creative process that rewards those who take chances. Finish with something, anything actionable β€” so long as it provides value.

Guides and Reference

Hunting with MITRE ATTACK

DNS Hunting



  • OS/VM
    • ​RedHunt-OS - Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs​
    • ​ThreatPursuit-VM - A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
  • Platform
    • ​HELK: The Hunting ELK - The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack.
    • ​ACM's AI-Hunter - Platform for hunting and detecting malware on your network.
  • ​ThreatHunter's Toolkit - Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science
  • DNS
    • ​ - Mark Baggett's tool for detecting randomness using NLP techniques rather than pure entropy calculations. Uses character pair frequency analysis to determine the likelihood of tested strings of characters occurring.
    • ​domain_stats - Domain_stats is a log enhancment utility that is intended help you find threats in your environment. It will identify the following possible threats in your environment.
    • ​dnstwist - Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
  • Misc Tools
    • ​DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
    • ​LogonTracer - LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs.
    • ​APT-Hunter - Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
    • ​PSHunt - Powershell Threat Hunting Module
    • ​PSRecon - Gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
    • ​Mihari - A framework for continuous OSINT based threat hunting
    • ​Oriana - A threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.
    • ​rastrea2r - A multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.
    • ​Zircolite - A standalone SIGMA-based detection tool for EVTX.
    • ​chainsaw - Rapidly Search and Hunt through Windows Event Logs
    • ​ - fast and flexible multi-platform IOC and YARA scanner


Hunting Theory

  • Types of Hunts - **This will cause some disagreement amongst threat hunting theorists, but this is the common thought process.** There are 3 types of hunts:
    • Automated - IoC ingest, should be performed by your SIEM and SOAR
    • Continuous - Situational awareness and Behavioral analytics. If these can be turned into alerting searches, all the better. Otherwise these should be scheduled at reasonable intervals.
    • On demand - Looking for specific activity. This typically has a temporal element such as responding to given intelligence.
  • 3 types of Hunt hypothesis
    • Threat Intelligence - These are hunts for specific indicators. These are easy low handing fruit, and should be followed by adding the indicators to any alerting mechanisms present.
    • Situational Awareness - These hunts are for looking at normal system and network operations and identifying activity that is outside of normal operations. This can include changes in volume/frequency of events, the methodology of certain activities, or the specific data points associated with certain events.
      • One of the biggest threat hunting skills is not only seeing what data doesnt belong, but also see what data is missing.
    • Domain Expertise - This is one that requires specific knowledge of your local environment. These hunts look for similar items as Situational Awareness, with the added context of looking for oddities in your specific organizations operations. Many of these will be violations of corporate policy or local practice and standards.
  • Hunt determinations
    • Can this hunt be automated?
    • Can this hunt be repeatable?
    • Are the indicators in this hunt monitored by other services?
    • Are we already hardened against these indicators?
  • Hunting Strategy questions:
    • What are you hunting?
    • Where will you find it?
    • How will you find it?
    • When will you find it?
    • *Ask these questions from each point int he Diamond Model
    • Threat Hunting with Elastic Stack - pg. 29


Repeatable hunts

These are hunt theories and searches that can and should be performed on the regular.

Long Tail Analysis

Crown Jewel Analysis

Preparing for CJA requires organizations to do the following:
  • Identify the organization’s core missions.
  • Map the mission to the assets and information upon which it relies.
  • Discover and document the resources on the network.
  • Construct attack graphs. β†’ Determine dependencies on other systems or information. β†’ Analyze potential attack paths for the assets and their interconnections. β†’ Rate any potential vulnerabilities according to severity.
  • This type of analysis allows hunters to prioritize their efforts to protect their most tempting targets by generating hypotheses about the threats that could impact the organization the most.
  • Crown Jewel Analysis - Crafting the Infosec Playbook: pg. 21