Threat hunting is proactive — actively searching for adversary activity that automated detection missed. Unlike SOC triage (reactive, works from alerts), hunting starts with a hypothesis and tests it against available data. This module covers the workflow, the hypothesis-driven method, and practical queries to start hunting tonight.

Why hunt

Automated detections catch KNOWN patterns; hunts find novel/unknown
Hunting surfaces detection gaps — feedback loop improves detection
APT groups dwell for months; hunting shortens dwell time
Proactive discipline aligned with MITRE ATT&CK

The hypothesis-driven workflow

Form hypothesis — a specific, testable statement. “Attackers are persisting via scheduled tasks in our fleet”
Identify data sources — where evidence would live if hypothesis is true
Query — write SIEM / EDR queries to surface matching events
Triage results — differentiate benign from suspicious
Escalate or close — real finding → incident; false → document hypothesis tested
Feedback — if hypothesis was good but data was missing, improve logging. If hypothesis produced many false positives, refine future queries.

Hunt pyramid (Sqrrl)

Pyramid of hunt maturity:

Hash indicators — trivial to match, trivial for attacker to change
IP addresses — simple, easy to rotate
Domain names — moderate effort to change
Network / host artifacts — specific tool signatures
Tools — attackers use finite tools; detect tool usage patterns
TTPs (Tactics, Techniques, Procedures) — most difficult for attacker to change; most valuable for defenders

Mature hunts target the top of the pyramid — TTPs. Hunts for “svchost.exe with unusual parent process” find adversary behaviour regardless of specific tool.

Sample hypotheses (with queries)

1. Scheduled task persistence

# Hypothesis: malware persists via scheduled task executing from uncommon paths

# Sysmon / Windows Event: look for schtasks.exe process creation
EventCode=1 (Process Create) AND
  Image LIKE "%schtasks.exe" AND
  (CommandLine CONTAINS "/create" OR CommandLine CONTAINS "/change")

# Investigate every hit; legitimate deployments have predictable patterns
# Attacker tasks: random names, executables in %TEMP%, Users\Public, Downloads

2. Outbound DNS anomalies

# Hypothesis: DNS tunnelling from workstations

SELECT src_ip, count(DISTINCT dns_query) AS distinct_queries,
       avg(length(dns_query)) AS avg_query_length
FROM dns_logs
WHERE time > now() - 7d
GROUP BY src_ip
HAVING distinct_queries > 1000 OR avg_query_length > 50

3. LSASS access

# Hypothesis: Mimikatz-class LSASS memory read from unusual process

EventCode=10 (Process Access) AND
  TargetImage LIKE "%lsass.exe" AND
  GrantedAccess HAS 0x1010 AND  # PROCESS_VM_READ + PROCESS_QUERY_INFORMATION
  SourceImage NOT IN (known_legitimate_processes)

4. Unusual logon patterns

# Hypothesis: credential stuffing / password spray

SELECT TargetUserName, COUNT(DISTINCT IpAddress) AS distinct_ips
FROM auth_logs
WHERE Result = 'Failure' AND Event = '4625'
  AND time > now() - 1h
GROUP BY TargetUserName
HAVING distinct_ips > 5

5. New service installations (across fleet)

# Hypothesis: lateral movement via service creation (PsExec-style)

EventCode=7045  # Service installed
| stats values(ServiceName) AS services, dc(ComputerName) AS hosts BY ServiceName
# Services appearing on many hosts in short time window = propagation pattern

Tools

SIEM — Splunk, Elastic, Microsoft Sentinel, Sumo, Wazuh
EDR — CrowdStrike Falcon, SentinelOne, MS Defender for Endpoint
MITRE ATT&CK Navigator — map coverage; pick hunts for uncovered techniques
Atomic Red Team — generate known-attack signals for validating hunts
Velociraptor — open-source IR / hunt at scale

Measuring hunt program maturity

Hypotheses-per-week run
False-positive rate per hypothesis
True-positive rate + severity
Time from hypothesis to new detection rule
Coverage: ATT&CK techniques hunted in last 90 days
Dwell time reduction — are you finding things faster?

Common pitfalls

Starting without a hypothesis — becomes needle-in-haystack tour
Missing data sources — hypothesis can’t be tested; improve logging first
Too many false positives — hypothesis too broad; refine
Not feeding back — findings don’t become new automated detections
Hunting only during incidents — should be a continuous discipline

Quick reference summary

Hunting = proactive; starts with hypothesis, not alert
Workflow: hypothesis → data → query → triage → escalate or close → feedback
Hunt the top of the pyramid (TTPs, tools) not the bottom (hashes, IPs)
Sample hypotheses: scheduled tasks, DNS anomalies, LSASS access, logon patterns, service creation
Tools: SIEM + EDR + ATT&CK Navigator + Atomic Red Team
Measure: hypotheses/week, coverage, dwell-time reduction
Feedback: hunt findings → new detections → improved automated coverage

🧠

Check your understanding

Module Quiz · 20 questions

Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 60% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

Module 7 · Threat Hunting Workflow 🔒