dashboard
WEEK_4 · DAY_25 · 1 HOUR
Threat Hunting
Hypothesis-driven proactive search across 24h+ of data
Learning Objectives
- ›Form a hypothesis (PEAK / TaHiTI methodology)
- ›Run hunts for LOLBins, beaconing, suspicious parent-child
- ›Document findings: TPs, FPs, gaps
- ›Codify successful hunts into correlation searches
Module 1 — Hunt Methodology
PEAK (Splunk's): Prepare → Execute → Act → Knowledge.
TaHiTI: 5-stage hunt model from Dutch banks.
Both: start with a hypothesis, end with a detection (or a documented gap).
Module 2 — Hunt Hypotheses
LOLBins (rundll32, mshta, regsvr32, certutil) downloading from internet.
Periodic outbound (beaconing) to non-CDN IPs.
Office spawning shell.
Service install on non-DC hosts.
Logon Type 3 to executive workstations.
Module 3 — From Hunt to Detection
If a hunt finds a TP — codify it as a correlation search (Day 19).
If FP-rich but signal exists — feed as a low-score risk factor (Day 20).
SPL Queries
LOLBin hunt
index=sysmon EventCode=1
Image IN ("*\\rundll32.exe","*\\mshta.exe","*\\regsvr32.exe","*\\certutil.exe","*\\bitsadmin.exe")
CommandLine="*http*"
| stats count values(CommandLine) as cmd by Computer, Image, User
| sort - count// LOLBins fetching over HTTP = textbook abuse.
Lab 25 — Run a Hunt
- Hypothesis: 'Adversary using LOLBins for download.'
- Open Splunk → Search and run the LOLBin hunt.
- Document TPs, FPs, gaps.
- If signal exists, propose a correlation search.
Key Takeaways
- ✓Every hunt ends with a detection or a documented gap
- ✓PEAK / TaHiTI — pick one and stick to it
- ✓Hunting is the SOC's R&D