Security specialty

Threat Hunting

Browse every cataloged workflow for threat hunting, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

58 skills

cybersecuritySkill

Analyzing Persistence Mechanisms in Linux

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring

Threat Hunting
auditdcrontabincident-responseld-preload+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing PowerShell Empire Artifacts

Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.

Threat Hunting
base64c2forensicsmitre-att&ck+5
ATT&CK, 16 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Analyzing Ransomware Network Indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

Threat Hunting
c2-beaconingexfiltrationnetflownetwork-forensics+3
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Building Threat Hunt Hypothesis Framework

Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses.

Threat Hunting
hunting-frameworkhypothesismethodologyproactive-detection+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting DCSync Attack in Active Directory

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.

Threat Hunting
active-directorycredential-theftdcsynckerberos+3
ATT&CK, 11 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting DLL Sideloading Attacks

Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.

Threat Hunting
defense-evasiondll-sideloadingedrmitre-attack+3
ATT&CK, 12 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Email Forwarding Rules Attack

Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.

Threat Hunting
becemail-forwardingmitre-attackpersistence+3
ATT&CK, 10 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Golden Ticket Attacks in Kerberos Logs

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.

Threat Hunting
active-directorycredential-abusegolden-ticketkerberos+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Insider Threat Behaviors

Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.

Threat Hunting
data-theftinsider-threatmitre-attackproactive-detection+2
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Kerberoasting Attacks

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.

Threat Hunting
credential-accesskerberoastingkerberosmitre-attack+3
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Lateral Movement with Splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

Threat Hunting
lateral-movementmitre-attackproactive-detectionsiem+3
ATT&CK, 15 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Malicious Scheduled Tasks with Sysmon

Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.

Threat Hunting
detectionpersistencescheduled-taskssysmon+2
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Mimikatz Execution Patterns

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.

Threat Hunting
credential-dumpingedrmimikatzmitre-attack+3
ATT&CK, 13 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting NTLM Relay with Event Correlation

Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.

Threat Hunting
active-directoryevent-4624event-correlationldap-signing+7
ATT&CK, 9 mappingsNIST CSF, 4 mappingsATLAS, 4 mappingsD3FEND, 5 mappingsAI RMF, 4 mappings
cybersecuritySkill

Detecting Pass The Hash Attacks

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.

Threat Hunting
credential-accessmitre-attackpass-the-hashproactive-detection+2
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Privilege Escalation Attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

Threat Hunting
mitre-attackprivilege-escalationproactive-detectionthreat-hunting+2
ATT&CK, 16 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Process Hollowing Technique

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.

Threat Hunting
edrmitre-attackproactive-detectionprocess-hollowing+3
ATT&CK, 17 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Service Account Abuse

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.

Threat Hunting
mitre-attackprivilege-escalationproactive-detectionservice-accounts+2
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Suspicious Powershell Execution

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.

Threat Hunting
amsiexecutionmitre-attackpowershell+3
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting T1003 Credential Dumping with EDR

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

Threat Hunting
credential-dumpingedrlsassmimikatz+4
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting T1055 Process Injection with Sysmon

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.

Threat Hunting
defense-evasiondll-injectionmitre-t1055process-hollowing+3
ATT&CK, 10 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting T1548 Abuse Elevation Control Mechanism

Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.

Threat Hunting
elevation-controlmitre-t1548privilege-escalationthreat-hunting+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting WMI Persistence

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

Threat Hunting
dfirmitre-attackpersistencesysmon+4
ATT&CK, 3 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Fleet Hunting with Velociraptor

Deploy a Velociraptor server and agents and write VQL hunts across a fleet.

Threat Hunting
dfirdigital-forensicsendpoint-visibilityfleet-collection+4
ATT&CK, 1 mappingNIST CSF, 1 mapping
cybersecuritySkill

Hunting EVTX with Chainsaw

Perform rapid Sigma and keyword hunting across Windows event logs with Chainsaw.

Threat Hunting
chainsawdetectiondfirevtx+4
ATT&CK, 7 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Hunting for Anomalous PowerShell Execution

Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.

Threat Hunting
amsievent-4104evtxobfuscation+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting for Beaconing with Frequency Analysis

Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints.

Threat Hunting
beaconingc2-detectionfrequency-analysisjitter-detection+4
ATT&CK, 16 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Cobalt Strike Beacons

Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis.

Threat Hunting
beaconc2cobalt-strikeja3+5
ATT&CK, 10 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting for Command and Control Beaconing

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.

Threat Hunting
beaconingc2mitre-attacknetwork-analysis+2
ATT&CK, 19 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Data Exfiltration Indicators

Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel abuse.

Threat Hunting
data-exfiltrationdlpmitre-attacknetwork-analysis+2
ATT&CK, 19 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Hunting for Data Staging Before Exfiltration

Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp folder access, large file consolidation, and staging directory patterns via EDR and process telemetry

Threat Hunting
archive-detectiondata-stagingdlpedr+3
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for DCOM Lateral Movement

Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.

Threat Hunting
com-objectsdcomlateral-movementmmc20+7
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for DCSync Attacks

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.

Threat Hunting
active-directorycredential-accessdcsyncdfir+4
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Defense Evasion via Timestomping

Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping activity.

Threat Hunting
defense-evasionmft-analysisntfs-forensicstimestomping
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for DNS Tunneling with Zeek

Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.

Threat Hunting
covert-channeldata-exfiltrationdns-tunnelingmitre-t1071-004+3
ATT&CK, 10 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for DNS-based Persistence

Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis.

Threat Hunting
dnsdns-hijackingpassive-dnspersistence+3
ATT&CK, 9 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting for Domain Fronting C2 Traffic

Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate inspection

Threat Hunting
c2-detectiondomain-frontingnetwork-securityproxy-logs+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Lateral Movement via WMI

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

Threat Hunting
lateral-movementmitre-attackprocess-creationsysmon+2
ATT&CK, 8 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting For Living Off The Cloud Techniques

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.

Threat Hunting
c2cloud-abuselotcmitre-attack+3
ATT&CK, 11 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Living-off-the-Land Binaries (LOLBins)

Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.

Threat Hunting
defense-evasionedrlolbinsmitre-attack+3
ATT&CK, 28 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for LOLBins Execution in Endpoint Logs

Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.

Threat Hunting
defense-evasionendpoint-detectionliving-off-the-landlolbins+3
ATT&CK, 17 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for NTLM Relay Attacks

Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.

Threat Hunting
active-directorycredential-accessevent-4624ntlm-relay+5
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Persistence Mechanisms in Windows

Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.

Threat Hunting
mitre-attackpersistenceproactive-detectionregistry+3
ATT&CK, 44 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Persistence via WMI Subscriptions

Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.

Threat Hunting
endpoint-detectionevent-subscriptionmitre-t1546-003threat-hunting+2
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Process Injection Techniques

Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry

Threat Hunting
createremotethreaddll-injectionedrprocess-injection+3
ATT&CK, 11 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Registry Persistence Mechanisms

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.

Threat Hunting
mitre-attackpersistenceproactive-detectionregistry+3
ATT&CK, 13 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Registry Run Key Persistence

Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.

Threat Hunting
mitre-attackpersistenceregistry-run-keyssysmon+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Scheduled Task Persistence

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns.

Threat Hunting
mitre-attackpersistenceproactive-detectionscheduled-tasks+2
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Shadow Copy Deletion

Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring vssadmin, wmic, and PowerShell shadow copy commands.

Threat Hunting
anti-forensicsmitre-attackproactive-detectionransomware+3
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Spearphishing Indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

Threat Hunting
email-securityinitial-accessmitre-attackproactive-detection+3
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Startup Folder Persistence

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.

Threat Hunting
autorunsfilesystem-monitoringpersistencestartup-folder+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Supply Chain Compromise

Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts.

Threat Hunting
initial-accessmitre-attackproactive-detectionsupply-chain+2
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Suspicious Scheduled Tasks

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.

Threat Hunting
endpoint-detectionmitre-t1053-005persistencescheduled-tasks+2
ATT&CK, 9 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting for T1098 Account Manipulation

Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs.

Threat Hunting
account-manipulationactive-directorymitre-attackpersistence+2
ATT&CK, 13 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Unusual Network Connections

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.

Threat Hunting
anomaly-detectionc2mitre-attacknetwork-analysis+2
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting for Unusual Service Installations

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.

Threat Hunting
event-7045persistenceservice-installationsysmon+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Hunting For Webshell Activity

Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.

Threat Hunting
mitre-attackpersistenceproactive-detectiont1505+3
ATT&CK, 10 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Threat Hunting with YARA Rules

Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.

Threat Hunting
malware-detectionpattern-matchingthreat-huntingyara
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings