Threat hunting flips the traditional security model on its head: instead of waiting for alerts, you proactively assume compromise and go looking for evidence. Done well, it catches adversaries that slip past automated defenses. This guide walks through a practical, repeatable process you can apply regardless of your organization's size or toolset.
Why Hunting Matters
Signature-based detection and even most behavioral analytics only catch known-bad patterns or obvious anomalies. Skilled attackers deliberately operate below that threshold, using legitimate tools (living-off-the-land binaries), valid credentials, and slow, patient movement. Threat hunting closes that gap by having a human analyst form hypotheses about attacker behavior and actively search for supporting evidence in your telemetry.
Build a Hypothesis-Driven Process
Effective hunts start with a specific, testable hypothesis rather than an open-ended fishing expedition. Good hypotheses typically come from three sources:
- Threat intelligence: A new report describes a technique used by a group that targets your industry. Hypothesis: "If this group is active in our environment, we'd see PowerShell downloading payloads via a specific pattern."
- MITRE ATT&CK gaps: Map your current detection coverage against ATT&CK techniques and prioritize hunts for techniques you can't currently detect automatically.
- Anomaly-driven curiosity: Unusual login times, rare parent-child process relationships, or unexpected outbound connections that don't trigger alerts but look odd on review.
Document each hypothesis, the data sources you'll query, and what evidence would confirm or refute it. This discipline prevents hunts from becoming unfocused and makes results reproducible.
Know Your Data Sources
A hunt is only as good as the telemetry behind it. Core sources include:
- Endpoint Detection and Response (EDR) logs: process creation, command-line arguments, file writes, network connections per process.
- Windows Event Logs: especially Security (4624/4625 logons), Sysmon (process creation, network, registry), and PowerShell operational logs.
- Network data: NetFlow/Zeek logs for connection metadata, DNS query logs, and proxy logs for outbound web traffic.
- Authentication logs: from identity providers, VPNs, and directory services to spot impossible travel or credential abuse.
- Cloud audit logs: CloudTrail, Azure Activity Logs, or GCP Audit Logs for privilege changes and API abuse.
Centralize these in a SIEM or data lake where you can run ad-hoc queries quickly. If your retention is too short, hunts against historical intrusions become impossible—aim for at least 90 days where feasible.
Practical Hunting Techniques
Stack counting (frequency analysis): Count occurrences of a field—parent process names, scheduled task names, service names—across your environment. Outliers (a process running on one host out of ten thousand) often indicate something worth investigating.
SELECT parent_process, COUNT(*) as cnt
FROM process_events
GROUP BY parent_process
ORDER BY cnt ASC
LIMIT 50;
Least frequency of occurrence (LFO): Similar to stacking but applied to combinations, such as (user, source_ip) pairs for authentication, to surface rare access patterns.
Baseline deviation: Establish what "normal" looks like for a host or user (typical login hours, common processes) and flag deviations. This requires an initial investment in profiling but pays off for ongoing hunts.
Pivoting on IOCs and TTPs: Start from a known indicator (hash, domain, IP) or technique (e.g., T1055 process injection) and search across all available logs for related activity, then pivot outward from any hits to find related infrastructure or affected hosts.
Tools Worth Learning
- Sysmon + Sigma rules: Sysmon provides rich endpoint telemetry; Sigma gives you a portable rule format to detect and hunt across SIEM platforms.
- Velociraptor or osquery: For fleet-wide live querying when you need to check hundreds of endpoints for a specific artifact right now.
- Zeek: For deep network protocol analysis beyond simple NetFlow.
- MITRE ATT&CK Navigator: To track and visualize hunt coverage over time.
Closing the Loop
Every hunt should produce an outcome beyond "found nothing." If you confirm malicious activity, feed it into incident response. If you find gaps in visibility, file them as detection engineering tickets. If a hunt technique proves valuable, convert it into an automated detection rule so future instances trigger alerts without manual effort. This turns threat hunting into a continuous improvement engine for your entire security program rather than a one-off exercise.
Keep a hunt log with hypotheses, queries used, and findings—this institutional knowledge compounds over time and makes onboarding new hunters far faster.
Ready to go deeper? Explore Korra Studio's Digital Forensics and Blue Team segments to build the detection and investigation skills that pair naturally with threat hunting.