Threat Hunting with MITRE ATT&CK: A Practitioner's Guide

Threat hunting is the proactive search for adversary activity that has evaded automated detection. Unlike reactive SOC alert triage, hunting starts with a hypothesis about how an attacker might operate in your environment and systematically tests that hypothesis against available telemetry. MITRE ATT&CK provides the structured framework that makes hunting repeatable and measurable.

The Hunting Process

Effective threat hunts follow a structured methodology:

1. Hypothesis generation — Form a testable statement about adversary activity
2. Data identification — Determine which log sources contain evidence for or against the hypothesis
3. Investigation — Query, filter, and analyze data to test the hypothesis
4. Finding documentation — Record results, including both positive findings and negative evidence
5. Detection creation — Convert validated hunting findings into automated detection rules

High-Value Hunt Hypotheses

The following hunts target techniques frequently used by real-world threat actors and are mapped to MITRE ATT&CK:

Hunt 1: Persistence via Scheduled Tasks (T1053.005)

Hypothesis: An attacker has established persistence using scheduled tasks that execute malicious payloads.

Data sources: Windows Security Event Log (Event ID 4698 — Task Created), Sysmon Event ID 1 (Process Creation)

Hunt approach:

• Enumerate all scheduled tasks created in the last 90 days
• Filter for tasks with actions pointing to unusual locations (user temp directories, ProgramData, AppData)
• Identify tasks running encoded PowerShell commands or calling scripting engines (wscript, cscript, mshta)
• Cross-reference task creators against known admin accounts — flag tasks created by non-admin users

Hunt 2: Credential Access via LSASS (T1003.001)

Hypothesis: An attacker is attempting to dump credentials from LSASS process memory.

Data sources: Sysmon Event ID 10 (ProcessAccess), Windows Defender alerts, EDR telemetry

Hunt approach:

• Search for processes accessing lsass.exe with PROCESS_VM_READ rights
• Identify non-standard tools accessing LSASS (anything other than the expected security products)
• Look for comsvcs.dll being loaded by unexpected processes (used for MiniDump)
• Check for procdump.exe or similar tools in non-standard paths

Hunt 3: Lateral Movement via WMI (T1047)

Hypothesis: An attacker is using Windows Management Instrumentation for remote execution on other systems.

Data sources: Windows Event ID 4624 (LogonType 3), Sysmon Event ID 1, WMI Event Logs

Hunt approach:

• Identify wmiprvse.exe spawning unusual child processes (cmd.exe, powershell.exe, mshta.exe)
• Correlate WMI remote execution with network logon events from the same source
• Look for WMI event subscriptions used for persistence (EventFilter + EventConsumer + FilterToConsumerBinding)

Hunt 4: Data Exfiltration Indicators (T1041)

Hypothesis: An attacker is staging and exfiltrating data using common tools.

Data sources: Proxy/web gateway logs, DNS logs, NetFlow/firewall logs, EDR file activity

Hunt approach:

• Search for Rclone execution or configuration files (.rclone.conf) on endpoints
• Identify large outbound transfers to cloud storage providers (Mega.nz, pCloud, Dropbox) from non-standard users
• Detect archive creation in staging directories followed by large outbound connections
• Look for DNS exfiltration patterns — high volume of TXT queries or unusually long subdomain labels

Hunt 5: Living-off-the-Land Binaries (T1218)

Hypothesis: An attacker is using legitimate Windows binaries to execute malicious code and evade detection.

Data sources: Sysmon Event ID 1 (Process Creation), command-line logging

Hunt approach:

• Search for mshta.exe, regsvr32.exe, or rundll32.exe with network connections to external IPs
• Identify certutil.exe being used to download files (-urlcache -split -f)
• Look for bitsadmin.exe transfer jobs downloading from external URLs
• Detect MSBuild.exe or InstallUtil.exe executing from user-writable directories

Measuring Hunting Effectiveness

Track these metrics to demonstrate and improve hunting value:

• Hunts completed per quarter — Target: 6-12 structured hunts per quarter
• Findings rate — Percentage of hunts that identify security issues (misconfigurations, policy violations, or actual threats)
• Detections created — Number of automated detection rules generated from hunting insights
• Coverage improvement — ATT&CK techniques with validated detection before and after hunting program