Threat Hunting — Finding What the Alerts Missed

Your SIEM is doing its job. Alerts fire, analysts triage, tickets close. Everything looks fine. Meanwhile, someone has been inside your network for 197 days, using your own tools against you, and nothing — not your firewall, not your EDR, not your fancy ML-powered anomaly engine — has said a word. Threat hunting is the discipline of going looking for that someone, on purpose, before the damage report lands on your desk.

The TLDR

Threat hunting assumes your defenses have already been bypassed and goes looking for proof. It’s proactive, hypothesis-driven investigation that doesn’t wait for an alert to tell you something’s wrong. You start with an assumption — “an attacker is using stolen credentials to move laterally” — and then you dig through telemetry until you prove or disprove it. The outcome isn’t just finding bad actors. It’s building new detection rules so the machines catch it next time.

The Reality

Automated detection catches the noisy ones. Script kiddies running known exploits, commodity malware phoning home to blacklisted C2 servers, brute force login attempts hammering your VPN. Your SIEM was built for that. Fine.

But advanced persistent threats and skilled attackers don’t trip alerts. They use living-off-the-land techniques — PowerShell, WMI, RDP, PsExec, legitimate remote administration tools that your environment already trusts. They don’t drop custom malware. They use your tools. That’s the whole point.

The numbers are grim. Industry reports consistently show median dwell times measured in months, not days. That’s months of an attacker inside your environment, mapping your network, exfiltrating data, positioning for the final move — while your dashboards glow green.

The 2023 CISA advisory on threat hunting made it explicit: organizations relying solely on signature-based and rule-based detection are missing the threats that matter most. The machine catches what it’s been told to look for. It can’t catch what it’s never seen.

How It Works

Reactive vs. Proactive

Alert-driven security is reactive. Something triggers a rule, an analyst investigates, the incident gets classified. That model works until the attacker is sophisticated enough to avoid triggering anything.

Threat hunting flips the model. You don’t wait for the alert. You formulate a hypothesis about attacker behavior and go looking for evidence. The data was always there — in your logs, your EDR telemetry, your netflow records. Nobody was asking the right questions.

The Hypothesis-Driven Hunt

Every hunt starts with a hypothesis. Not a vague “let’s look for bad stuff” — a specific, testable statement:

• “An attacker is using stolen service account credentials to access the finance database after hours.”
• “A compromised workstation is beaconing to a C2 server using DNS tunneling.”
• “Someone is using RDP lateral movement between systems that have no business talking to each other.”

The hypothesis gives you focus. Without it, you’re just scrolling through logs hoping something looks weird. That’s not hunting — that’s doom-scrolling your SIEM.

The Hunt Cycle

The cycle is simple. Executing it is not.

1. Hypothesis — Based on threat intelligence, MITRE ATT&CK techniques, or gut instinct informed by experience.
2. Data Collection — Pull the relevant telemetry. EDR process execution logs, authentication events, DNS queries, netflow data, proxy logs.
3. Investigation — Analyze the data. Look for anomalies against your baseline. Stack count. Frequency analyze. Chase the long tail.
4. Findings — Document what you found — or didn’t find. Both outcomes have value.
5. New Detections — Convert confirmed findings into automated detection rules. The hunt feeds the machine. Next time, the SIEM catches it.

Data Sources That Matter

You can’t hunt in data you don’t collect. The essentials:

• EDR telemetry — Process creation, parent-child relationships, command-line arguments. If you don’t know what’s executing on your endpoints, you’re blind.
• Authentication logs — Kerberos events, NTLM authentication, failed logins, service account usage. T1078 (Valid Accounts) is one of the most common ATT&CK techniques for a reason.
• DNS logs — Every DNS query is a story. C2 beaconing, DNS tunneling, DGA domains — it’s all in the queries if you’re collecting them.
• Network flow data — Who’s talking to whom, how much data is moving, at what times. Lateral movement and exfiltration both leave traces in netflow.
• Process execution logs — Sysmon on Windows is non-negotiable. Process creation events with command-line logging are the bread and butter of endpoint hunting.

Frameworks and Methodologies

The MITRE ATT&CK framework is your map. It catalogs attacker techniques across tactics — Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control. Structure your hunts around the techniques most relevant to your environment.

The Pyramid of Pain (David Bianco’s model) explains why hunting for TTPs matters more than hunting for indicators. Hash values are trivial for an attacker to change. IP addresses rotate. Domain names are cheap. But techniques and procedures — the way an attacker operates — are expensive to change. Hunt at the top of the pyramid.

The Sqrrl Threat Hunting Framework (before AWS acquired them) formalized the hunt loop and introduced the concept of hunting maturity levels. Most organizations sit at level zero — purely automated, no human-driven hunting. Getting to level one means you have at least ad hoc hunts. The goal is structured, repeatable hunting with documented hypotheses and outcomes.

Core Techniques

• Baseline and anomaly detection — You can’t spot abnormal if you don’t know normal. Establish baselines for process execution, network connections, authentication patterns. Then look for deviations.
• Stack counting — Count unique values across a field. If 99% of your endpoints run a specific set of processes and one endpoint runs something nobody else does, that’s your lead.
• Frequency analysis — Regular beaconing intervals in network traffic? Suspiciously consistent process execution times? Attackers are software too — they have patterns.
• Long-tail analysis — Sort by least common. The rarest events in your environment are where the interesting stuff hides. Most environments are remarkably homogeneous. The outliers deserve attention.

The Toolbox

• Velociraptor — Open-source endpoint visibility and digital forensics tool. Lets you query endpoints at scale using VQL.
• YARA rules — Pattern matching for malware and suspicious files. Write rules to scan endpoints for known-bad indicators or behavioral patterns.
• Sigma rules — Vendor-agnostic detection rules for SIEM platforms. The SigmaHQ repository is a goldmine of community-driven detection logic.
• OSQuery — SQL-powered endpoint interrogation. Ask your fleet questions like a database. “Show me every process with a network connection to an IP outside the country.”
• Threat intelligence platforms — MISP, OpenCTI, or commercial options. Feed IOCs and TTP intelligence into your hunt hypotheses.

How It Gets Exploited

The usual suspects know you’re looking. The good ones build their entire tradecraft around evasion.

Living-off-the-land binaries (LOLBins). Why drop malware when you can use certutil.exe to download payloads, mshta.exe to execute scripts, or PowerShell to do basically anything? These are signed Microsoft binaries. Your allowlist loves them. Your SIEM ignores them by default.

Fileless malware. Never touches disk. Runs in memory, leverages legitimate processes, leaves minimal forensic artifacts. Your antivirus scans files. What’s it going to scan when there’s no file?

Timestamp manipulation. T1070.006 (Timestomp) — attackers modify file timestamps to blend malicious files into legitimate directories. That suspicious DLL? Its timestamp says it was installed with the OS three years ago.

Legitimate remote administration tools. AnyDesk, TeamViewer, ScreenConnect — all legitimate software that your organization might actually use. An attacker tunneling through ScreenConnect looks identical to an IT support session unless you’re looking at the context, not just the tool.

Log clearing and evidence destruction. T1070.001 (Clear Windows Event Logs). If hunting depends on log data, attacking the logs is the counter-move. Centralize your logs or lose them.

What You Can Do

Start hunting. You don’t need a twenty-person SOC and a seven-figure budget. You need data, a hypothesis, and time.

• Start with the MITRE ATT&CK top techniques. Pick the five most commonly observed techniques in your sector. Build a hunt for each one. T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), and T1021 (Remote Services) are near-universal starting points.
• Hunt weekly. Put it on the calendar. One hypothesis, one hunt, one afternoon. Consistency matters more than duration.
• Convert findings into detections. Every successful hunt should produce at least one new Sigma rule or SIEM correlation. The hunt feeds the machine. Next time, it’s automated.
• Build a hunt calendar. Rotate through ATT&CK tactics monthly. January is Lateral Movement. February is Persistence. March is Credential Access. Keep cycling.
• Invest in Sysmon and centralized logging. You cannot hunt in data you don’t have. Deploy Sysmon with a solid configuration. Forward everything to a central SIEM. If the attacker clears local logs, you still have the copies.
• Know your baseline. Spend time understanding what normal looks like before you go looking for abnormal. The hunt for anomalies starts with knowing what isn’t one.

Related Deep Dives

• SOC Operations — the operational home where hunting happens
• SIEM & Logging — the data sources that make hunting possible

Sources & Further Reading

• MITRE ATT&CK Framework — The definitive catalog of adversary tactics, techniques, and procedures
• CISA Cybersecurity Advisories — Active threat guidance and hunting recommendations
• NIST Cybersecurity Framework — The Detect function maps directly to hunting and monitoring capabilities
• Sigma Rules (SigmaHQ) — Community-maintained detection rules for SIEM platforms
• Velociraptor Documentation — Open-source endpoint monitoring and forensics
• ISC2 Security Operations Resources — Professional development for security operations practitioners
• OWASP — Application-layer attack patterns that feed hunt hypotheses