Why Reactive Detection Is Not Enough
Every alert you've ever written was written after someone thought of the attack. Threat hunting flips this: you assume compromise, form a hypothesis about attacker behaviour, and go looking for evidence before an alert fires.
The Hunt Cycle
- Hypothesis — based on threat intel, CVE, or ATT&CK technique
- Data collection — identify what logs/telemetry you need
- Analysis — queries, visualisation, statistical baselining
- Finding — either new detection rule or confirmation of clean environment
- Documentation — every hunt, positive or negative, builds institutional knowledge
A Real Hunt: Kerberoasting
Hypothesis: An attacker with domain user credentials is requesting TGS tickets for service accounts to crack offline.
index=winevent EventCode=4769
TicketEncryptionType=0x17
ServiceName!=krbtgt
ServiceName!="*$"
| stats count by TargetUserName, ServiceName, ClientAddress
| where count > 5
0x17 = RC4 encryption. A flood of RC4 TGS requests is a strong indicator.
Baselining Approach
index=winevent EventCode=4769 TicketEncryptionType=0x17
| timechart span=1d count
Defensive Takeaways
- Schedule one proactive hunt per month on a different ATT&CK technique
- Every hunt that finds nothing is still valuable — document what data you used
- Hunts that surface new attacker behaviour should end with a new detection rule
- Invest in endpoint telemetry — Sysmon is table stakes for effective hunting
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.