// Threat Hunting

Structured Threat Hunting: A Practical Guide for Blue Team Engineers

📅 June 2025🕐 18 min readThreat Hunting

What Is Threat Hunting?

Threat hunting is the proactive, human-led process of searching through your environment for threats that have evaded automated detection. While SIEM and EDR handle automated detection, threat hunters assume compromise has already occurred and look for evidence of attacker activity that your rules have not yet encoded.

The best security teams do not wait for alerts. They go looking for the adversary before the adversary finishes the job.

Hypothesis-Driven Methodology

A good hunt hypothesis is specific, falsifiable, and tied to real adversary behavior. Examples from our fintech environment:

  • A threat actor is using LOLBins for initial staging (T1218)
  • An internal host is communicating with a C2 server via DNS tunneling (T1071.004)
  • Credential dumping has occurred on a domain controller in the last 30 days (T1003)
  • An attacker established persistence via a scheduled task in a non-standard path (T1053.005)

Hunt Queries in Splunk SPL

Hunt 1: LOLBin Execution (T1218)

index=windows_events EventCode=4688
| eval lolbins="mshta,wscript,cscript,regsvr32,rundll32,certutil,bitsadmin"
| eval child=lower(mvindex(split(NewProcessName,"\\"),-1))
| where like(lolbins, "%"+child+"%")
| stats count, values(CommandLine) AS cmds by Computer, User, NewProcessName

Hunt 2: Beaconing Detection - C2 Identification

index=network_firewall action=allowed
| bucket _time span=1h
| stats count, avg(bytes_out) AS avg_b, stdev(bytes_out) AS std_b by src_ip, dest_ip
| eval beacon_score=if(std_b/avg_b < 0.3 AND count > 20, "HIGH", "LOW")
| where beacon_score="HIGH"
| eval technique="T1071"

Hunt 3: Kerberoasting (T1558.003)

index=windows_security EventCode=4769
| where TicketEncryptionType="0x17" OR TicketEncryptionType="0x18"
| where ServiceName!="krbtgt" AND NOT like(ServiceName, "%$")
| stats count, values(ServiceName) by TargetUserName, ClientAddress
| where count >= 3
| eval technique="T1558.003"

Hunt 4: Unusual Parent-Child Process Relationships

index=windows_events EventCode=4688
| eval parent=lower(mvindex(split(ParentProcessName,"\\"),-1))
| eval child=lower(mvindex(split(NewProcessName,"\\"),-1))
| where (parent="word.exe" AND (child="powershell.exe" OR child="cmd.exe"))
  OR (parent="excel.exe" AND (child="powershell.exe" OR child="wscript.exe"))
| table _time, Computer, User, parent, child, CommandLine

Operationalizing Hunt Findings

Every hunt results in: Incident Found (escalate immediately), Detection Gap Found (write a detection rule), or Clean Confirmed (document as audit trail evidence). In our environment, approximately 60% of production detection rules originated from threat hunting exercises rather than threat intelligence or vendor recommendations.

Measuring Hunt Effectiveness

  • Hunts per month - track cadence
  • New detection rules created from hunts - primary ROI measure
  • Dwell time reduction - hunts should surface attackers earlier
  • MTTD improvement over time - systematic hunting drives earlier detection
Threat HuntingMITRE ATT&CKSplunk SPLBlue Team