What Is Threat hunting? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
Threat hunting is when security experts actively look for hidden cyberattacks that automated tools might have missed. Instead of waiting for alerts, they dig through data to find suspicious activity. This approach helps catch advanced threats before they cause damage.
Common Commands & Configuration
wevtutil qe Security /q:"*[System[(EventID=4688)]]" /c:1000 /rd:true /f:text | findstr /i "cmd.exe powershell.exe"Queries Windows Security event log for process creation events (Event ID 4688) and filters results for command line processes like cmd.exe or powershell.exe. Useful for hunting lateral movement or script execution.
In Security+ and CySA+, you must know how to manually query logs when SIEM is unavailable. This command tests your ability to extract specific events using wevtutil and filter outputs.
Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where-Object { $_.Id -eq 4104 -and $_.Message -match 'EncodedCommand' }Retrieves PowerShell ScriptBlock logging events (Event ID 4104) that contain 'EncodedCommand', revealing obfuscated scripts. Essential for hunting fileless malware.
CISSP and MS-102 exams test PowerShell logging. This command demonstrates practical hunting for encoded payloads, a common exam scenario for detecting evasion.
splunk search index=windows source="WinEventLog:Security" EventCode=4625 | timechart count by Account_Name span=1h | table _time, Account_Name, countSplunk query to visualize failed logon attempts (Event ID 4625) over time, identifying brute-force attacks or password spraying campaigns. Useful for initial access hunting.
For CySA+, you need to interpret search results. This query is typical for threat hunting scenarios that ask which account is being targeted by a brute force attack.
Get-MpThreatDetection | Where-Object { $_.SeverityID -eq 5 } | Select-Object -First 10Retrieves the top 10 high-severity detections from Windows Defender AV. Helps identify endpoints where a threat was blocked but may still need deeper investigation for pre-execution behavior.
In MD-102, you must manage Defender AV. This command checks for critical detections that could indicate an active threat that escaped initial blocking.
netstat -ano | findstr :445Lists all TCP connections using port 445 (SMB). Used to identify potential lateral movement via SMB, especially from unexpected source IPs or high connection counts.
Security+ and AZ-104 may require identifying suspicious outbound connections. Port 445 abuse is a common lateral movement technique tested in incident response scenarios.
watch -n 5 'ss -tulpn | grep -E "(4444|9090|8443)"'Linux command to continuously monitor listening ports for commonly abused high-range ports (e.g., 4444 for Metasploit, 9090 for webshells). Useful for real-time hunting on servers.
AWS SAA and CySA+ cover Linux security. This command tests understanding of how to detect reverse shells or backdoor listeners in a Linux environment.
kusto: DeviceNetworkEvents | where RemoteIPType == 'Public' and LocalIP == '10.0.0.5' | summarize count() by RemoteIPAzure Sentinel KQL query to summarize all outbound public connections from a specific local IP (10.0.0.5). Helps hunt for data exfiltration or C2 activity from a suspected host.
SC-900 and MS-102 exam ask about KQL hunting. This query demonstrates how to pivot from an indicator to all network events, a key skill for threat hunting in Microsoft 365 Defender.
Get-WmiObject -Query "SELECT * FROM __EventFilter" -Namespace root\subscriptionLists all WMI event filters (used for persistence). Useful for hunting malicious WMI subscriptions that run at startup or at timed intervals without touching the registry.
This is an advanced hunting technique for CISSP and CySA+. It tests knowledge of WMI persistence, which is often used by APT groups and is poorly documented in standard curricula.
Threat hunting appears directly in 93exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →
Must Know for Exams
Threat hunting appears across multiple IT certification exams, often as a core concept in security domains. For CompTIA Security+ (SY0-601 and SY0-701), threat hunting is part of Domain 4 (Security Operations). You may see questions about the difference between threat hunting and vulnerability management, or about the phases of the threat hunting process. The exam expects you to know that threat hunting is proactive, hypothesis-driven, and uses both IOCs and IOAs.
For CompTIA CySA+ (CS0-002 and CS0-003), threat hunting is a major topic. The exam covers practical aspects such as how to use MITRE ATT&CK to guide hunts, what data sources are most valuable (e.g., endpoint logs, network flows), and how to interpret suspicious findings. You may be given a scenario with log entries and asked to identify which ones warrant further investigation.
For ISC2 CISSP, threat hunting falls under Domain 7 (Security Operations). The exam tests your understanding of proactive vs. reactive security, the role of threat intelligence in hunting, and how hunting integrates with incident response. CISSP questions are typically scenario-based and require you to choose the best next step when a hunt uncovers a potential threat.
For Microsoft exams like MS-102 (Microsoft 365 Administrator), SC-900 (Microsoft Security Fundamentals), and AZ-104 (Azure Administrator), threat hunting is covered less centrally but appears in the context of Microsoft 365 Defender, Azure Sentinel, and Microsoft Defender for Cloud. You may be asked how to use Microsoft Sentinel's hunting queries or how to interpret threat hunting results in the Microsoft 365 security center.
For AWS SAA (AWS Certified Solutions Architect – Associate), threat hunting is not a core objective but can appear in questions about AWS security services like GuardDuty, Detective, and Security Hub. You should understand that these services provide automated findings that can feed into a threat hunting workflow.
Exam questions typically test your ability to distinguish threat hunting from other processes. Common traps include confusing threat hunting with incident response, vulnerability scanning, or penetration testing. You must remember that threat hunting is proactive and occurs before any alert is generated. In multiple-choice questions, watch for answers that describe reactive actions-those are usually not hunting.
Also, understand that threat hunting is hypothesis-driven. Questions may ask what the first step of a hunt is, and the correct answer is usually something like "formulate a hypothesis based on threat intelligence." Knowing the MITRE ATT&CK framework and how it applies to hunting will also help you answer scenario questions.
Finally, know the key data sources and tools. For example, Windows Event ID 4625 (failed logon) might be used in a brute force hypothesis, while Event ID 4688 (process creation) helps detect suspicious commands. Exams often ask which log source is most relevant for a specific hunting scenario.
Simple Meaning
Think of threat hunting like a detective who does not wait for a crime report. In traditional security, you rely on alarms-like a burglar alarm going off when a window breaks. But what if the burglar is very quiet and never trips the alarm? Threat hunting is the practice of actively looking for signs that someone might have already broken in, even when no alarm has sounded.
In everyday life, you might notice something odd in your house-a drawer slightly open, a footprint on the carpet, or a window that is not fully closed. You do not wait for a loud alarm; you investigate these small clues. In cybersecurity, threat hunting works the same way. Security analysts examine logs, network traffic, and system behavior to find small anomalies that could indicate a hidden attacker.
For example, imagine you run a small online store. Your firewall and antivirus software are like a security guard at the front door. But a clever attacker might sneak in through a back window and leave no obvious trace. Threat hunting is like having a second guard who walks through every room, checks under desks, and looks for anything out of place-even if the front guard says everything is fine.
Another analogy is a doctor doing a routine checkup. You might feel fine, but the doctor runs blood tests to find early signs of disease before symptoms appear. Threat hunting is similar-it aims to find infections or intrusions early, before they cause noticeable damage.
The key idea is proactivity. Most security tools are reactive: they wait for known attack patterns or suspicious behavior. Threat hunting uses hypotheses and curiosity to find unknown threats. It relies on human intuition and deep analysis, not just automated alerts. This makes it a critical skill for modern IT security professionals.
threat hunting is about asking "What if?" and then searching for evidence. It turns security from a waiting game into an active pursuit.
Full Technical Definition
Threat hunting is a proactive cybersecurity methodology that involves iteratively searching through network, endpoint, and log data to detect and isolate advanced persistent threats (APTs) and other malicious activities that evade existing security controls, such as signature-based detection, anomaly-based detection, and machine learning algorithms. Unlike automated security tools that rely on predefined Indicators of Compromise (IOCs) or known attack patterns, threat hunting leverages Indicators of Attack (IOAs), behavioral analytics, and threat intelligence to uncover stealthy adversaries.
The core process of threat hunting typically follows a hypothesis-driven approach. A hunter formulates a hypothesis based on observed anomalies, threat intelligence feeds, or known tactics, techniques, and procedures (TTPs) from frameworks like the MITRE ATT&CK matrix. The hunter then collects data from multiple sources-including SIEM platforms, endpoint detection and response (EDR) tools, firewall logs, DNS logs, proxy logs, and cloud audit trails-and analyzes it using techniques like stack counting, clustering, grouping, and outlier detection.
Key components of a threat hunting program include:
Data Sources: Effective threat hunting requires high-quality, centralized logging. Common data sources include Windows Event Logs (e.g., Security, System, PowerShell), Sysmon logs, network flow data (NetFlow, IPFIX), packet captures, cloud trail logs (AWS CloudTrail, Azure Audit Logs), and endpoint telemetry from EDR agents.
Analytical Techniques: Hunters use various methods such as frequency analysis, time-series analysis, and link analysis to identify patterns. For example, a hunter may look for a single user account authenticating from multiple geographic locations within a short time window, which could indicate credential compromise.
Tools: Common tools used in threat hunting include SIEMs like Splunk or Microsoft Sentinel, EDR platforms like CrowdStrike Falcon or Microsoft Defender for Endpoint, open-source tools like Zeek, GRR, and Velociraptor, and scripting languages like Python and PowerShell for custom analysis.
Frameworks: The MITRE ATT&CK framework is widely used to map adversary behaviors. Hunters often create hypotheses based on specific techniques, such as T1059 (Command and Scripting Interpreter) or T1078 (Valid Accounts), and then hunt for those behaviors in their environment.
Threat hunting is distinct from incident response. Incident response is reactive-something bad has already been detected, and the team responds. Threat hunting is proactive-the team actively looks for threats that have not triggered any alert. It is also different from vulnerability management, which focuses on patching known weaknesses, not searching for active intrusions.
In modern IT environments, threat hunting is often integrated with a Security Operations Center (SOC). A mature SOC includes a dedicated hunting team that uses threat intelligence, user and entity behavior analytics (UEBA), and automated data processing to generate leads. The hunting team may also perform "purple team" exercises, working with red teams to simulate attacks and test detection capabilities.
The outcome of a successful hunt is not only the discovery of a threat but also the creation of new detection rules, improved logging, and refined incident response playbooks. Hunters document their findings and share them with the broader security community, contributing to collective defense.
For cloud environments, threat hunting presents unique challenges. Data is spread across multiple services, and traditional network visibility is reduced. Cloud hunters must rely on API logs, cloud resource access logs, and identity provider logs. Services like AWS GuardDuty, Azure Sentinel, and Google Cloud Security Command Center provide some automated detection, but proactive hunting often requires custom queries and scripts.
Overall, threat hunting is a continuous, human-driven process that complements automated security tools. It requires deep technical knowledge, analytical thinking, and a thorough understanding of attacker behavior.
Real-Life Example
Imagine you are the security manager of a large office building. Your building has an automated security system with cameras, motion sensors, and badge readers at every door. Most days, the system works fine. If someone tries to enter after hours without a badge, an alarm sounds, and security guards respond. This is like traditional automated cybersecurity-alerts trigger responses.
But one day, a clever thief studies your building. They learn that the motion sensors have a blind spot near the janitor's closet. They also know that the camera system archives footage for only 30 days, and they plan to act just before the old footage is overwritten. The thief steals an employee badge that was left on a desk and uses it to enter during a busy lunch hour, when the badge reader logs show many entries. They walk through the blind spot, access a server room, and install a tiny device that copies data. No alarm goes off because nothing unusual triggers the automated rules.
This is exactly what happens in a network. Automated security tools have blind spots. They might not detect an attacker using legitimate credentials, moving slowly, or using encrypted traffic. Threat hunting is like having a dedicated security team that does not just watch the monitors. They walk the halls, talk to employees, and notice small things-like a door that is slightly ajar, or an employee badge being used at two different doors at the same time (impossible unless it is cloned). They might review camera footage from 31 days ago, before the automatic deletion, to spot the thief scouting the building.
In IT, threat hunters look for such anomalies. They might notice a user account logging in from two different countries within minutes, or a single workstation sending a large amount of data at 3 AM. These patterns are not necessarily alarms in the automated system, but to a trained hunter, they are suspicious. The hunter then investigates further, perhaps by pulling more logs, isolating the machine, or questioning the user.
This real-life example shows the value of human intuition and curiosity. Automated systems are great for known patterns but often fail against novel or stealthy attacks. Threat hunters fill that gap by actively searching for the unexpected.
Why This Term Matters
In today's threat landscape, automated security tools are essential but not sufficient. Attackers constantly evolve their methods to bypass detection. Ransomware groups, state-sponsored actors, and insider threats often use legitimate tools and credentials to move laterally, making them invisible to signature-based detection. Threat hunting matters because it provides a human-driven layer of defense that can catch these sophisticated threats.
For organizations, a successful threat hunt can mean the difference between a minor incident and a major breach. Finding an attacker early-before they exfiltrate data or deploy ransomware-saves millions in recovery costs, legal fees, and reputation damage. Threat hunting also improves overall security posture by identifying gaps in logging, detection rules, and incident response processes.
From a career perspective, threat hunting skills are highly valued. Security professionals who can hunt effectively are in high demand. Certifications like CompTIA CySA+, CompTIA Security+, ISC2 CISSP, and Microsoft SC-200 all cover threat hunting concepts. Knowing threat hunting helps you understand how attackers think, which improves your ability to configure security tools and respond to incidents.
For IT professionals, threat hunting is not just for security specialists. System administrators, cloud architects, and network engineers often encounter suspicious activity. Understanding threat hunting enables them to recognize anomalies in their own domains-like unusual resource usage in Azure or unexpected network connections. This awareness strengthens the entire organization's defense.
Finally, threat hunting aligns with modern security frameworks. The NIST Cybersecurity Framework includes "Detect" as a core function, and threat hunting directly supports that. Regulatory compliance, such as PCI DSS or HIPAA, may also require proactive threat detection. Organizations that invest in threat hunting demonstrate a commitment to security beyond checkbox compliance.
How It Appears in Exam Questions
Threat hunting questions typically fall into scenario-based, definition-based, and tool-based categories. In scenario questions, you are given a description of an organization's security posture, a suspicion, and some log data. You must decide what the security analyst should do next. For example: "A SOC analyst notices several successful logins at 3 AM from an IP address in a different country. The user reports they were asleep. What should the analyst do?" The correct answer is to initiate a threat hunt, not just block the IP or ignore it, because the analyst should actively investigate the anomalous behavior.
Definition questions ask you to differentiate threat hunting from similar concepts. For instance: "Which of the following best describes threat hunting? A) Scanning for known vulnerabilities B) Reacting to a security alert C) Proactively searching for undetected threats D) Penetration testing the network." The correct answer is C, as threat hunting is proactive.
Tool-based questions might ask: "Which Microsoft 365 tool would a hunter use to run custom hunting queries across email, endpoint, and identity data?" The answer is Microsoft 365 Defender (or Advanced Hunting). Or: "In Splunk, which type of search is most appropriate for a hypothesis-driven hunt?" The answer is a statistical or behavioral search, not a simple keyword search.
Some questions test the concept of Indicators of Attack (IOA) vs. Indicators of Compromise (IOC). For example: "A threat hunter wants to detect an attacker using PowerShell to download a file. Which type of indicator is the hunter primarily using?" The answer is IOA, because they are focusing on the attack behavior (downloading with PowerShell) rather than a specific hash or IP.
Another common pattern: "A security team implements threat hunting but finds no threats. What is the most likely reason?" Options might include: insufficient data, improper tool configuration, lack of hypotheses, or no real threats exist. The correct answer is often improper data sources or lack of hypotheses, because hunting requires both quality data and a starting point.
You may also see questions about the MITRE ATT&CK framework: "A threat hunter wants to search for evidence of credential dumping. Which MITRE ATT&CK technique should the hunter map their hypothesis to?" The answer is T1003 (OS Credential Dumping).
Finally, some questions combine threat hunting with incident response. For example: "During a threat hunt, an analyst discovers a previously undetected backdoor. What is the next step?" The correct answer is to escalate to incident response, because once a threat is confirmed, the process moves from proactive hunting to reactive response.
To excel in these questions, focus on understanding the mindset of a hunter: proactive, hypothesis-driven, curious, and data-focused. Memorize the key difference from vulnerability management and incident response, and familiarize yourself with common hunting tools and data sources relevant to your target certification.
Practise Threat hunting Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a security analyst at a mid-sized company. One morning, you review a report from your SIEM that shows an unusual pattern: a user named Alice, who works in HR, has logged into the company's VPN from two different cities within a 10-minute window. Alice's office is in New York, but one login appears from New York and another from Chicago, just minutes apart. No alert was triggered because both logins used valid credentials and passed multifactor authentication.
Your automated security tools did not flag this because they rely on known bad IPs or failed login attempts. But you, as a threat hunter, find this suspicious. You formulate a hypothesis: Alice's credentials may have been compromised, and an attacker is using them from a different location. You decide to hunt for more evidence.
You start by pulling detailed logs from the VPN server and the authentication system. You check the user agent strings, which often reveal the device type. The New York login came from a company-issued laptop with a standard user agent, while the Chicago login came from a browser on a Linux machine-something Alice never uses. You also check the IP addresses: the Chicago IP is associated with a known VPN service often used by attackers.
Next, you check for other suspicious behavior. Did the Chicago login access any sensitive files? You find that within 30 minutes of that login, someone accessed the HR payroll database and downloaded a file containing employee social security numbers. You also find that the same IP attempted to access the CEO's email but failed due to a policy restriction.
At this point, you have strong evidence of a compromise. You escalate to the incident response team, who immediately disable Alice's account, isolate her workstation, and begin forensic analysis. Later, it is confirmed that Alice's credentials were stolen via a phishing email the day before.
This scenario shows how threat hunting works in practice. You did not wait for an alarm. You noticed an anomaly, formed a hypothesis, collected data, analyzed it, and discovered a real threat that would otherwise have gone unnoticed. This proactive approach prevented a potentially massive data breach.
Common Mistakes
Confusing threat hunting with incident response
Incident response is reactive-it happens after a confirmed incident. Threat hunting is proactive-it searches for incidents that haven't triggered alerts. Mixing them up shows misunderstanding of the security lifecycle.
Remember: hunting is searching for trouble; incident response is dealing with trouble already found.
Thinking threat hunting is the same as vulnerability scanning
Vulnerability scanning looks for known weaknesses like unpatched software. Threat hunting looks for active malicious behavior, not missing patches. They serve different purposes and use different techniques.
Vulnerability scans are proactive but hunt for vulnerabilities, not threats. Threat hunting hunts for attackers already inside.
Assuming threat hunting is fully automated
While tools assist, threat hunting is human-driven. Automation can help collect data, but the intuition, hypothesis, and analysis require a human. Treating it as just another automated process misses the point.
Think of threat hunting as a human-led investigation supported by tools, not a tool that runs on its own.
Thinking threat hunting only uses IOCs (Indicators of Compromise)
IOCs are known artifacts like file hashes or IPs. Advanced attackers change these quickly. Threat hunting focuses on IOAs (Indicators of Attack)-behaviors and patterns-which are harder to evade.
Hunt for suspicious behavior, not just known bad indicators. Use the MITRE ATT&CK framework to guide your thinking.
Believing threat hunting is only for large enterprises with dedicated teams
Small and medium businesses also face advanced threats. Even a single IT person can perform basic threat hunting using free tools and logs. The scale may differ, but the concept applies to any organization.
Start with a simple hypothesis and your existing logs. Even checking for impossible travel or unusual PowerShell usage is a form of hunting.
Failing to document hypotheses and results
Without documentation, you cannot learn from hunts or improve detection rules. Each hunt should produce findings that refine future hunts and feed back into security controls.
Always record your hypothesis, data sources used, findings, and any new detection rules created. This builds a knowledge base for your team.
Exam Trap — Don't Get Fooled
{"trap":"In exam questions, a description may present a scenario where an analyst waits for a security alert before taking action. The question asks if this is an example of threat hunting. Many learners incorrectly select 'Yes' because they think any security activity is hunting."
,"why_learners_choose_it":"Learners often confuse all security operations as 'hunting' because they don't distinguish between reactive and proactive approaches. The word 'threat' in the question also leads them to associate it with threat hunting.","how_to_avoid_it":"Remember that threat hunting is proactive and occurs without an alert.
If the action described is triggered by an alert, it is incident response or detection, not hunting. Always ask: 'Did they start searching because of an alarm, or because they had a hypothesis?'
Commonly Confused With
Incident response is a reactive process that happens after a confirmed security incident. Threat hunting is proactive and happens when no incident has been confirmed. Incident response follows a playbook; threat hunting follows a hypothesis.
If you get a call that your house is on fire and you call the fire department, that's incident response. If you walk around your house sniffing for smoke because you suspect a faulty wire, that's threat hunting.
Vulnerability management focuses on identifying and patching known weaknesses in systems and software. Threat hunting focuses on detecting active malicious activity that may exploit those weaknesses. One is about fixing holes; the other is about finding attackers.
Vulnerability management is like checking all doors and windows to see if they lock properly. Threat hunting is like looking for footprints inside the house after you locked the doors.
Penetration testing is a simulated attack to find vulnerabilities and test defenses. Threat hunting is the actual search for real attackers. Pen testing is authorized and scheduled; threat hunting is ongoing and looks for unauthorized activity.
Penetration testing is like a fire drill: you simulate an emergency to test your response. Threat hunting is like a fire marshal walking around looking for real fire hazards.
Security monitoring is the continuous observation of systems for alerts and anomalies, often automated. Threat hunting goes beyond monitoring by actively looking for subtle signs that monitoring might miss. Monitoring waits for triggers; hunting creates its own triggers.
Security monitoring is like a security guard watching a live camera feed. Threat hunting is like the guard leaving the monitor room to physically inspect a door that looks slightly ajar.
Step-by-Step Breakdown
Formulate a Hypothesis
The hunt begins with a hypothesis based on threat intelligence, recent incidents, or unusual observations. For example, an analyst might hypothesize that an attacker is using PowerShell to download payloads. This step ensures the hunt has a clear direction and purpose.
Identify Data Sources
The hunter determines which logs and telemetry can test the hypothesis. This may include Windows Event Logs, Sysmon logs, network flows, cloud audit logs, and endpoint EDR data. Choosing the right data sources is critical for finding evidence.
Collect and Aggregate Data
Data is pulled from multiple sources into a centralized platform like a SIEM or data lake. The hunter may run custom queries to filter relevant events. The quality and completeness of the data directly affect the hunt's success.
Analyze the Data
The hunter applies analytical techniques such as frequency analysis, time-based correlation, and outlier detection. They look for patterns that match the hypothesis, like a single account triggering multiple process creation events (Event ID 4688) for PowerShell in a short time.
Investigate Anomalies
When an anomaly is found, the hunter deep-dives into the context. They check related events, user activity, and surrounding logs. This step helps determine if the anomaly is benign (e.g., a legitimate administrative script) or malicious.
Document Findings
Regardless of whether a threat is found, the hunter records the hypothesis, data used, analysis steps, and conclusions. This documentation feeds back into the security process, helping create new detection rules or refine existing ones.
Escalate or Close
If a real threat is confirmed, the hunter escalates to the incident response team with all relevant evidence. If no threat is found, the hunt is closed, but lessons learned are shared. The hypothesis may also be refined for future hunts.
Update Security Controls
Based on the hunt's outcome, detection rules, SIEM alerts, or logging configurations are updated. This step ensures the organization improves its defenses over time and reduces the chances of missing similar threats in the future.
Practical Mini-Lesson
Threat hunting in practice requires not only technical skills but also a systematic approach. Let me walk you through a real-world scenario to show how it works.
Imagine you are a SOC analyst for a company that uses Microsoft 365 and Azure. One day, you read a threat intelligence report about a new phishing campaign that tricks users into granting OAuth permissions to a malicious app. The app requests access to read email and contacts. Your hypothesis: an attacker may have already compromised an account using this technique. You decide to hunt for it.
You start by querying Azure AD audit logs for recent OAuth consent grants. You look for applications with suspicious names or from unknown publishers. You write a KQL query in Microsoft 365 Defender Advanced Hunting:
`AuditLogs | where OperationName == "Consent to application" | where TargetResources has_any ("Mail.Read", "Contacts.Read") | project TimeGenerated, UserPrincipalName, ClientAppName, AppId`
You find an entry from yesterday: a user named j.doe consented to an app called "DocuSign Viewer" from a publisher not listed as verified. The app has Mail.Read and Contacts.Read permissions. This is suspicious because DocuSign is widely used but this app is not legitimate.
Next, you check if the app actually used those permissions. You query the sign-in logs for token issuance events involving that app. You find that after consent, the app accessed the user's mailbox several times, reading emails. You also check if any rules were created in the mailbox (like forwarding rules) to exfiltrate data.
You discover a forwarding rule that sends all emails with the word "invoice" to an external address. This is a clear sign of data exfiltration. You have now confirmed the threat.
You escalate to incident response, providing all evidence: the suspicious app, the consent grant, the mailbox access logs, and the forwarding rule. The IR team revokes the app, resets the user's credentials, and removes the forwarding rule.
After the incident, you create a detection rule in Microsoft Defender for Cloud Apps to alert on any app consent request that matches high-risk permissions and unverified publishers. You also update your hunting playbook to include this type of hypothesis.
This example shows how threat hunting integrates with real tools and real workflows. The key takeaway is that hunters need to know their environment's data, understand threat intelligence, and be able to query and correlate data from multiple sources. They also need to know how to interpret the results-for instance, not all OAuth consent grants are malicious, but the combination of unverified publisher, sensitive permissions, and unusual activity increases suspicion.
A common challenge in threat hunting is false positives. Not every anomaly is an attack. For example, a user logging in from a different country could be a legitimate traveler using a VPN. Hunters must use additional context-like user agent, time of day, and the user's typical behavior-to decide whether to escalate. This is where experience and good documentation of normal behavior matter.
Another challenge is data quality. Incomplete logging, missing fields, or logs that are overwritten too quickly can cripple a hunt. That is why establishing a robust logging strategy is a foundational step before any mature hunting program can exist.
Finally, threat hunting is a continuous cycle. You hunt, you learn, you improve. Over time, hunts become more focused and efficient. The best hunters are always curious, always asking "what if?" and always refining their methods.
Core Methodology of Threat Hunting
Threat hunting is a proactive security operation that assumes an adversary has already breached the environment. Unlike automated detection systems that rely on known signatures or rules, threat hunting uses human intuition, hypothesis-driven analysis, and deep investigation to uncover stealthy, advanced persistent threats (APTs) that evade existing defenses. The core methodology follows a structured loop: develop a hypothesis, collect and analyze data, investigate anomalies, and then refine the hypothesis or escalate findings.
The first step is hypothesis generation. A hunter might hypothesize that a specific threat actor group uses a particular tool, such as Mimikatz for credential dumping, or that a known vulnerability is being exploited within the network. This hypothesis is based on threat intelligence, recent CVEs, or internal risk assessments. For example, after a critical Exchange Server vulnerability is disclosed, a hunter might hypothesize that attackers are attempting to exploit it within the environment.
Next, the hunter collects data from multiple sources: endpoint detection and response (EDR) logs, network flow data, DNS logs, Windows Event logs (especially Security Event IDs 4624, 4625, 4688, and 5156), proxy logs, and cloud service logs (Azure AD Sign-in logs, AWS CloudTrail, etc.). This data is normalized and correlated using security information and event management (SIEM) tools or specialized platforms like Splunk, Elastic Stack, or Azure Sentinel. The hunter looks for outliers, such as unusual process execution chains, unexpected outbound connections, or authentication anomalies across time zones.
The analysis phase involves threat-hunting techniques like the Pyramid of Pain (focusing on indicators of behavior over static IOCs), the Diamond Model of intrusion analysis (adversary, capability, infrastructure, victim), and the use of MITRE ATT&CK frameworks to map tactics and techniques. For instance, if a hunter sees cmd.exe spawning powershell.exe with encoded commands, that maps to MITRE T1059.001 (Command and Scripting Interpreter: PowerShell). The hunter then examines the parent process, user context, and network connections to determine if it is malicious.
Finally, findings are documented and escalated to incident response teams. The hunter may also update detection rules or create new signatures to prevent similar attacks. The iterative nature of threat hunting means that each successful hunt improves the overall security posture by closing detection gaps, segmenting networks, or hardening endpoints.
Understanding this methodology is critical for security certifications like CompTIA Security+, CySA+, CISSP, and AWS SAA because they test the ability to distinguish reactive security (alerts) from proactive hunting. In exams, scenario-based questions often ask which approach should be used to find unknown threats that bypass IDS/IPS. The correct answer is threat hunting, as it assumes a breach exists and actively searches for subtle indicators that automated tools miss.
Data Sources and Tools Essential for Threat Hunting
Effective threat hunting relies on high-fidelity, centralized, and historical data. Without comprehensive logs, hunters cannot establish baselines or detect anomalies. The primary data sources include endpoint telemetry, network logs, identity and authentication logs, cloud service logs, and threat intelligence feeds. Each source provides a unique viewpoint, and combining them reveals the full kill chain.
Endpoint data from EDR solutions (like Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne) provides process creation events, network connections, file system changes, registry modifications, and driver loads. For example, a hunter analyzing a suspicious process might investigate its parent-child relationship (e.g., is winword.exe spawning cmd.exe?) and check if the child process has a valid digital signature. Windows Event Logs, especially Security, System, and PowerShell Operational logs, are vital. Event ID 4688 (Process Creation) with command-line logging enabled gives complete command arguments, while Event ID 4104 (ScriptBlock Logging) captures obfuscated PowerShell scripts.
Network data includes NetFlow, full packet capture (PCAP), DNS query logs, proxy logs, and TLS/SSL certificate metadata. DNS logs are particularly useful for detecting domain generation algorithm (DGA) domains or known C2 infrastructure. For instance, a spike in NXDOMAIN responses from a single host might indicate a DGA-based malware attempting to resolve random domains. Proxy logs help identify unusual user-agent strings or data exfiltration via HTTP POST requests to external IPs.
Identity and authentication logs from Active Directory, Azure AD, and Okta provide insight into Kerberos ticket requests (Event ID 4768, 4769), failed logins (Event ID 4625), and account creation/modification (Event ID 4720, 4738). A threat hunter might look for pass-the-hash attacks by correlating multiple logins from different workstations using the same NTLM hash. In cloud environments, AWS CloudTrail, Azure Activity Log, and GCP Audit Logs record API calls. Hunting for privilege escalation often involves finding IAM role assumption events from unexpected source IPs.
Tools for threat hunting range from native OS tools (Sysinternals Suite, PowerShell, WMI) to enterprise-grade platforms (Splunk, Elasticsearch, KQL-based solutions like Azure Sentinel). Pivot tables, time series analysis, and statistical modeling (e.g., z-score for outliers) are common analysis techniques. For example, using KQL in Azure Sentinel, a hunter can query: DeviceProcessEvents | where InitiatingProcessFileName != 'explorer.exe' and FileName == 'rundll32.exe' and ProcessCommandLine contains 'javascript'. This filters for suspicious rundll32 executions without a legitimate parent.
For AWS SAA (AWS Solutions Architect Associate), understanding logging services like CloudTrail, VPC Flow Logs, and GuardDuty is essential. For SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), knowing Azure Sentinel's hunting queries and Microsoft 365 Defender data sources is tested. The CySA+ exam includes interpreting scan results and identifying anomalous log entries. Therefore, mastering data source types and their analytical value is a core competency for all these certifications.
Hypothesis-Driven Threat Hunting Techniques and Frameworks
Hypothesis-driven threat hunting shifts security operations from a reactive alert-driven model to a proactive adversary-focused search. Instead of waiting for alerts, hunters propose a specific attack scenario (the hypothesis) and then look for evidence supporting or refuting it. This approach is more effective than hunting based solely on IOCs, as advanced adversaries change their tools and hashes constantly. The most common frameworks for structuring hypotheses are MITRE ATT&CK, the Cyber Kill Chain, and the Diamond Model.
A typical hypothesis frames a specific technique from MITRE ATT&CK. For example: "An adversary is likely using scheduled tasks (T1053.005) to maintain persistence after the initial compromise." The hunter then collects data on new scheduled tasks created in the last 48 hours, focusing on tasks with suspicious names (e.g., random strings), unusual execution times, or commands invoking PowerShell or MSHTA. In an environment with thousands of endpoints, a hunter might reduce noise by comparing the list to a baseline of known enterprise software.
Another common hypothesis involves lateral movement. Using the Diamond Model, the hunter identifies the adversary's capability (e.g., PsExec or WMI) and infrastructure (e.g., a specific listening port). For instance: "An attacker is using WMI (T1047) to move laterally and execute payloads." The hunter queries Event ID 5861 (WMI Activity) or looks for high-frequency WMI connections to multiple workstations from a single source server. If the pivot server is not a known administrative jump box, this is highly suspicious.
Hunting for data exfiltration often involves a hypothesis about abnormal egress traffic patterns. For example: "An insider threat is exfiltrating customer PII via encrypted SMTP to an external free email service." The hunter examines SMTP connections (Event ID 25) from non-mail servers, and correlates with file access audits (Event ID 4663) for sensitive folders. DNS query logs can reveal tunnels where data is encoded in subdomains. A hunter might run a Python script to calculate entropy in DNS query strings; high entropy often indicates encrypted data or C2 tunneling.
Frameworks provide a common language for documenting hunts. MITRE ATT&CK helps categorize findings into tactics (e.g., TA0001 Initial Access, TA0002 Execution) and techniques, which drives automated alert tuning. The Pyramid of Pain encourages focusing on indicators of behavior (TTPs) rather than low-level IOCs like file hashes. For instance, if a hunter finds a malicious DLL side-loading technique, they document the technique (T1574.002) rather than just the hash, allowing detection of future variants.
Certifications test this framework-based thinking. For ISC2 CISSP, questions may ask about the most effective way to discover zero-day attacks (answer: threat hunting with a hypothesis based on TTPs). For MS-102 (Microsoft 365 Administrator), candidates must know how to create custom hunting queries in Microsoft 365 Defender that target specific MITRE techniques. CySA+ includes scenario-based questions requiring the application of the Diamond Model to an incident. Understanding these techniques ensures you can design and execute hunts that find hidden threats and demonstrate security maturity.
Advanced Persistence and Evasion Techniques in Threat Hunting
Advanced adversaries invest significant effort in establishing stealthy persistence and evading detection. Threat hunting must focus on these sophisticated techniques because traditional antivirus or EDR may miss them. Key areas include fileless malware, living-off-the-land binaries (LOLBins), registry persistence, COM hijacking, and driver-based evasion. Understanding how these techniques work-and how to hunt for them-is critical for security operations and certification exams.
Fileless malware operates in memory, using tools like PowerShell, WMI, or .NET reflection. It leaves minimal forensic evidence on disk. To hunt for fileless attacks, a hunter should analyze PowerShell ScriptBlock logs (Event ID 4104) for obfuscated code using commands like -EncodedCommand or Base64 strings. For example, a query can look for PowerShell processes with unusual parent processes (e.g., rundll32.exe, taskeng.exe) or frequent use of Invoke-Expression. Hunters also look for WMI persistence (subscriptions stored in root\subscription) by querying the WMI repository for abnormal subscriptions that run scripts at system startup.
Living-off-the-land binaries (LOLBins) like certutil.exe, bitsadmin.exe, mshta.exe, and regsvr32.exe are abused because they are legitimate Microsoft-signed binaries. An attacker can use certutil.exe to download a script from a remote server, bypassing allowlisting. Hunting for LOLBin abuse involves baselining which binaries are normally used by IT staff or developers. For instance, a sudden spike in mshta.exe execution from a user workstation that never runs it should be investigated. A hunter might write a KQL query: DeviceProcessEvents | where FileName in~ ('certutil.exe','bitsadmin.exe','mshta.exe','rundll32.exe','regsvr32.exe') and InitiatingProcessFileName != 'explorer.exe' and Timestamp > ago(7d).
Registry persistence beyond the typical Run keys is common. Adversaries use Startup folders, AppCertDLLs, Winlogon Notifications, and Service Driver paths. To hunt for this, a hunter can compare the current registry state of key persistence locations to a known good baseline taken after a clean OS install. For example, checking HKLM\Software\Microsoft\Windows\CurrentVersion\Run once for unusual values. A specific clue is a DLL path located in a user's temp folder or a network share. Attackers also use COM hijacking by modifying CLSID keys to load malicious code when specific applications start (e.g., browsers or Office apps).
Kernel-level evasion using rootkits or drivers is rarer but extremely dangerous. A hunter might detect kernel tampering by checking for unsigned drivers (sigcheck -e) or looking for anomalies in loaded driver lists. Tools like WinDbg or Volatility can be used for memory analysis to find hidden processes or kernel callbacks. In exams, these techniques appear in questions about detecting persistence that EDR misses, or about the order of volatility when collecting evidence.
For AZ-104 (Azure Administrator) and MD-102 (Microsoft 365 Endpoint Administrator), understanding how default AMSI protections work against script-based attacks is important. The SC-900 exam tests awareness of Microsoft Defender for Endpoint's ability to detect fileless threats using behavioral blocking and containment. In all cases, the hunter must go beyond simple alerts and actively look for signs of tampering with logging, configuration changes, or system processes that are designed to stay invisible.
Troubleshooting Clues
Missing Windows Event Logs on endpoints
Symptom: When querying Security logs for Event ID 4688, the log contains no entries or is truncated despite being enabled.
Windows Event Log can fill up rapidly if log size limit is too small (default 20MB in older builds) or if audit policies are not configured for process creation. If the 'Audit Process Creation' group policy setting is not enabled, Event ID 4688 will not be generated.
Exam clue: Security+ and CySA+ exam questions often ask why process tracking is missing. The answer usually involves misconfigured audit policies or log size limits. Knowing to check GPO settings (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking) is critical.
PowerShell ScriptBlock logging not capturing obfuscated code
Symptom: Event ID 4104 shows 'ScriptBlock text is empty' or only shows partial scripts even though logging is enabled.
By default, PowerShell ScriptBlock logging truncates scripts longer than 32KB. Also, if 'Module Logging' or 'ScriptBlock Logging' is not enabled via GPO, some scripts may not be captured. Attackers bypass this by splitting payloads into multiple small chunks.
Exam clue: In MS-102 or MD-102, this is a common troubleshooting scenario. The correct remediation is to increase the log size via registry (Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging) or enable transcription logging. Exam questions ask why PowerShell logs are incomplete.
High false positives in DNS tunneling detection queries
Symptom: Hunting queries for DNS tunneling (e.g., high entropy subdomains) trigger many alerts for legitimate CDN or load balancer traffic.
Legitimate services like Akamai, Cloudflare, or Azure Traffic Manager use high-entropy subdomains for load distribution. Without a baseline of known subdomain patterns and domain whitelisting, queries will flag normal traffic.
Exam clue: CISSP questions on tuning detection systems often mention whitelisting necessary services. This clue highlights balancing sensitivity and specificity, a concept tested in multiple certifications.
KQL query for lateral movement returning no results
Symptom: A query searching for new inbound RDP connections to a server returns zero events, but the server shows active remote sessions.
If logging is not enabled for RDP (Event ID 4634/4778), or if the query filters on wrong event IDs, events will be missed. If inbound RDP is allowed via VPN only, the source IP may appear as internal, not external. Another cause is using 'NetApp Aurora', which bypasses RDP event logging.
Exam clue: This is a typical exam trick for AZ-104 and SC-900. They test if you know the correct Event IDs for RDP logon (4778 for session reconnection, 4624 for logon type 10) and the need for logging to be enabled.
Sysmon driver failing to load on Windows Server 2019
Symptom: Sysmon service starts but events are not generated; error in event log indicates driver load failure with status 0xc0000354.
This error occurs because Secure Boot is enabled and Sysmon's driver is not signed by a Microsoft Trusted Root Certificate. Sysmon requires a SHA256 signed driver, and on systems with Secure Boot, the driver must be certified by Microsoft.
Exam clue: For MD-102, you must know that Sysmon may not work with Secure Boot enabled. The solution is to either disable Secure Boot (not recommended) or use a Microsoft-signed alternative, like Microsoft Defender for Endpoint's process monitoring.
NetFlow logs showing no data for a critical subnet
Symptom: When analyzing NetFlow for hunting, the subnet 10.0.10.0/24 has zero flows, but hosts are reachable.
NetFlow export is not configured on the switch or router for that VLAN; or the NetFlow collector's IP is not in the flow exporter's configuration. Another cause: SNMP polling is enabled but NetFlow export is separate.
Exam clue: AZ-104 questions on monitoring assume you know that VPC Flow Logs must be enabled per ENI. The equivalent in on-prem is NetFlow export. Exams test your ability to identify missing configuration at the network level.
AWS CloudTrail log delivery latency beyond 30 minutes
Symptom: Threat hunting across multiple regions shows CloudTrail events delivered with 40-60 minute delay, hampering near-real-time hunting.
CloudTrail deliveries are batched and typically delivered within 5-15 minutes, but if trail delivery to S3 or CloudWatch Logs fails, retries can cause delays. This can happen due to S3 bucket policy misconfigurations, insufficient permissions, or throttling on CloudWatch Logs API.
Exam clue: AWS SAA exam includes troubleshooting CloudTrail delivery. This symptom is a direct clue to check bucket policies for cross-account or organization trail permissions. The solution is to ensure the trail's S3 bucket allows Write ACL from CloudTrail service.
Azure AD Sign-in logs missing for legacy authentication
Symptom: Hunting queries for brute force attacks show no failed logins from legacy protocols (POP3, IMAP) even though attackers are active.
Azure AD Sign-in logs only capture interactive and non-interactive logins by default. Legacy authentication (Basic Auth) events are often missed unless the 'Other' category is enabled in the diagnostic settings. Also, some legacy protocols are not recorded in Sign-in logs at all.
Exam clue: SC-900 and MS-102 exams ask about gaps in Azure AD logs. The correct action is to enable 'User risk policies' and 'Sign-in risk policies' in Azure AD Identity Protection, and to turn on 'Sign-in logs for all types' via Diagnostics Settings.
Memory Tip
Think of the 3 P's: Proactive, Hypothesis-driven, and People-centric. Threat hunting is Proactive (no alert required), Hypothesis-driven (you start with a question), and relies on People (human analysts, not just automation).
Learn This Topic Fully
This glossary page explains what Threat hunting means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
Quick Knowledge Check
1.A security analyst is conducting a threat hunt to identify fileless malware that uses PowerShell. Which Windows Event ID should they primarily analyze?
2.During a threat hunt, you notice that a non-admin workstation is making multiple outbound connections to an IP address on port 8443. The IP has low reputation. Which MITRE ATT&CK technique is most likely being used for C2 communication?
3.A threat hunter is investigating a potential data exfiltration using DNS tunneling. Which of the following indicators would most strongly suggest DNS tunneling activity?
4.In an AWS environment, a security engineer wants to hunt for unauthorized API calls that indicate IAM privilege escalation. Which service logs should be the primary source?
5.A threat hunter uses the Diamond Model to analyze an incident. They identify a specific file hash (adversary token) and an IP address (infrastructure). What is the next step in the Diamond Model analysis?
6.During a threat hunt, you find a Windows service that runs a script from a user's temp directory set to start automatically. The service name is 'WindowsUpdateService' but the binary path points to C:\Users\Public\temp\svchost.ps1. Which persistence technique is this?
Frequently Asked Questions
Is threat hunting the same as penetration testing?
No. Penetration testing is a simulated attack to find vulnerabilities. Threat hunting is the real search for active threats in your environment. They serve different purposes.
Do I need special tools to start threat hunting?
You can start with basic tools like a SIEM (e.g., Splunk, Azure Sentinel) or even just Windows Event Viewer and PowerShell. As you mature, EDR tools and advanced analytics help.
Can threat hunting be fully automated?
No. While automation helps collect and filter data, the human element-intuition, hypothesis creation, and context analysis-is irreplaceable. Threat hunting is a human-driven activity.
What is the first step in a threat hunt?
The first step is to formulate a hypothesis. Without a clear question or assumption, the hunt lacks direction. The hypothesis should be based on threat intelligence, anomalies, or known TTPs.
How often should I perform threat hunting?
Ideally, threat hunting should be continuous. Even if you cannot dedicate full-time resources, scheduling regular hunts (e.g., weekly or monthly) is beneficial. The frequency depends on your risk profile and resources.
What is the difference between IOC and IOA in threat hunting?
IOC (Indicator of Compromise) is a known artifact like a file hash or IP address. IOA (Indicator of Attack) is a behavior pattern, such as unusual process execution or lateral movement. Threat hunters focus more on IOAs to catch unknown threats.
Does threat hunting require advanced programming skills?
Not necessarily, but it helps. Many hunters use query languages like KQL (Kusto Query Language) for Azure, SPL (Search Processing Language) for Splunk, or PowerShell. Scripting in Python or PowerShell is common for custom analysis.
How does threat hunting relate to the MITRE ATT&CK framework?
The MITRE ATT&CK framework provides a structured list of adversary tactics and techniques. Hunters use it to hypothesize which techniques an attacker might use and then search for evidence of those behaviors in their environment.
Summary
Threat hunting is a proactive cybersecurity practice where analysts actively search for hidden threats that evade automated detection tools. Unlike incident response, which is reactive, or vulnerability management, which focuses on weaknesses, threat hunting is hypothesis-driven and human-centred. It relies on data from logs, endpoints, network flows, and cloud services, combined with analytical techniques and threat intelligence frameworks like MITRE ATT&CK.
For IT certification learners, understanding threat hunting is critical for exams like CompTIA Security+, CySA+, CISSP, and Microsoft security certifications. Questions often test the distinction between hunting and other security processes, the importance of hypotheses, and the use of IOAs vs. IOCs. Practical scenarios may require you to interpret log data or choose the next step in a hunt.
Threat hunting is not just for large enterprises; any organization can benefit from a proactive mindset. Even a simple hunt using existing logs can uncover hidden adversaries. The key takeaway for your exam and career: threat hunting is about asking "what if?" and then searching for answers before an alarm tells you something is wrong. It turns security from a reactive chore into a proactive pursuit, making it an indispensable skill for modern IT professionals.