Advanced Threat Hunting
Proactive defense: Searching for indicators of compromise (IoCs) and APTs that evaded the SOC.
Curriculum
20 ModulesThe Hunting Loop
Hypothesis-driven hunting vs. IoC matching. The lifecycle of a hunt.
MITRE ATT&CK Framework
Mapping adversary behavior to the 14 tactics of the ATT&CK matrix.
Hunting in Windows Logs (EVTX)
Security.evtx, System.evtx, and PowerShell logs (4103/4104).
Hunting in Network Traffic
Using Zeek (Bro) and RITA to find beacons and long connections.
Sysmon Deep Dive
Configuring and analyzing System Monitor logs for process creation and DNS queries.
Lateral Movement Detection
Catching PsExec, WMI abuse, and SMB/RPC anomalies.
Hunting Web Shells
Finding malicious ASPX/PHP files using file integrity monitoring and log analysis.
Privilege Escalation Detection
Identifying Token Manipulation, UAC bypass, and "GetSystem" attempts.
Persistence Mechanisms
Hunting for Scheduled Tasks, Registry Run keys, and WMI subscriptions.
Memory Hunting with Volatility
Analyzing RAM dumps for unlinked processes and injected code.
Hunting Malware (YARA)
Writing YARA rules to scan files and memory for malware families.
Data Exfiltration Hunting
Detecting large data transfers, DNS tunneling, and cloud storage uploads.
Hunting in AWS/Cloud
CloudTrail analysis: Finding compromised IAM keys and S3 bucket access.
Active Directory Hunting
Detecting DCSync, Golden Ticket, and Kerberoasting attacks.
Living off the Land (LotL)
Detecting abuse of native tools: certutil, bitsadmin, regsvr32.
Elastic Stack for Hunters
Using Kibana (KQL) to visualize and hunt through massive datasets.
Sigma Rules
Writing generic detection rules that work across Splunk, ELK, and QRadar.
Beacon Analysis
Mathematical analysis of connection timing to find C2 channels (Jitter/Interval).
Insider Threat Hunting
Detecting anomalous user behavior and unauthorized access.
The Hunter's Capstone
Full-spectrum hunt in a simulated compromised enterprise environment.