Overview
Threat hunting is the practice of proactively searching your environment for threats that have evaded automated detection. Unlike alert-driven investigation, hunting starts with a hypothesis about attacker behavior and uses data analysis to prove or disprove it. This playbook provides a structured methodology, sample hunt hypotheses organized by MITRE ATT&CK tactics, data source requirements, and guidance for building a repeatable hunting program.
Hunting Methodology
- Form a hypothesis based on threat intelligence, attack trends, or environmental risk
- Identify the data sources needed to test the hypothesis
- Develop hunt queries using SIEM, EDR, or log analytics tools
- Execute the hunt and analyze results for anomalies or indicators
- Document findings, including negative results
- Convert confirmed findings into automated detection rules
- Feed lessons learned back into the threat model and next hunting cycle
Sample Hunt Hypotheses by ATT&CK Tactic
| Tactic | Hypothesis | Key data sources |
|---|---|---|
| Initial Access | Adversaries are using spear-phishing links to deliver payloads via OneNote or PDF attachments | Email gateway logs, endpoint telemetry, web proxy |
| Execution | Attackers are using LOLBins (mshta, wscript, certutil) for fileless execution | EDR process creation logs, PowerShell script block logs |
| Persistence | Threat actors have established persistence through scheduled tasks or WMI subscriptions | Windows event logs (4698, 5861), Sysmon |
| Credential Access | Attackers are harvesting credentials using LSASS memory dumps | EDR memory access alerts, Sysmon event 10 |
| Lateral Movement | Adversaries are moving laterally using RDP or PsExec from compromised accounts | Windows logon events (4624, 4625), network flow data |
| Exfiltration | Data is being exfiltrated via DNS tunneling or large uploads to cloud storage | DNS query logs, web proxy, DLP alerts |
Data Source Requirements
Effective hunting requires comprehensive visibility. At minimum, you need endpoint telemetry from an EDR tool that captures process creation, file operations, network connections, and registry changes. Layer on DNS query logs, web proxy logs, authentication events, and email gateway data. Cloud environments need API audit logs and resource access logs. The more data sources you have normalized and searchable, the more sophisticated your hunts can be. If a hunt hypothesis requires data you do not collect yet, that is a valuable finding in itself.
Building a Hunting Cadence
Schedule formal hunts on a regular cadence, typically weekly or bi-weekly, with dedicated analyst time protected from alert triage duties. Choose hunt topics based on current threat intelligence, recent incidents, or gaps in your detection coverage. Track each hunt as a project with a defined scope, timeline, and expected outcome. Maintain a hunting backlog of hypotheses ranked by risk and feasibility. Rotate hunting responsibilities across team members to build skills broadly rather than concentrating expertise in one person.
From Hunts to Detections
- Every successful hunt should produce a detection rule that automates catching the same behavior in the future
- Document the query logic, data sources, expected false positive rate, and recommended response action
- Submit completed detections to the detection engineering pipeline for validation and deployment
- Track the coverage improvement by mapping new detections to the MITRE ATT&CK matrix
- Review hunting-derived detections quarterly to ensure they remain relevant as the threat landscape evolves
Frequently Asked Questions
What skills does a threat hunter need?
Strong understanding of attacker TTPs and the MITRE ATT&CK framework, proficiency with SIEM and EDR query languages, knowledge of operating system internals, network protocols, and the ability to formulate and test hypotheses methodically.
How is threat hunting different from incident response?
Incident response is reactive: it starts with an alert or report. Threat hunting is proactive: it starts with a hypothesis and searches for evidence of threats that have not triggered any alerts. Hunting assumes your detection has gaps and actively looks for what it missed.
How do we justify the investment in threat hunting?
Track metrics like dwell time reduction, detection rule improvements from hunt findings, and actual threats discovered. A single hunt that catches an undetected compromise can prevent millions in breach costs and pays for the entire hunting program.
Can we hunt in cloud environments?
Absolutely. Cloud hunting focuses on API audit logs (CloudTrail, Activity Log), IAM anomalies, unusual resource provisioning, and network flow patterns. Cloud-native threats like cryptomining, privilege escalation through misconfigured IAM, and data exposure through misconfigured storage are all huntable.
What is a good way to start a hunting program?
Start with one or two hunts per month focused on the highest-risk ATT&CK tactics for your environment. Use existing tools and data. Document everything so you build institutional knowledge. Scale the program as you demonstrate value and develop team skills.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.