Threat Hunting & Applying CTI
From Intelligence to Action
The previous modules built your knowledge of CTI theory, IoC types, MITRE ATT&CK, and malware analysis. This final module answers the most important question: how do you actually use all of that to protect a network?
Consuming intelligence passively — reading reports, importing IoC feeds — is the baseline. The mature security program goes further: it hunts proactively for threats that evaded automated detection, builds precise detections from adversary TTPs, and feeds CTI directly into the incident response process.
Threat Hunting Fundamentals
Threat hunting is the proactive, human-led search for threats that have evaded existing security controls. Unlike alert-driven incident response — where you react to what a tool flags — threat hunting starts before an alert fires. The hunter assumes the environment is already compromised and goes looking for evidence.
Reactive vs Proactive Security
| Approach | Trigger | Goal | Limitation |
|---|---|---|---|
| Alert Response | SIEM/EDR fires an alert | Investigate and contain the flagged event | Only catches what detection rules already cover |
| Threat Hunting | Hunter's hypothesis or new CTI report | Find threats that bypassed all automated detection | Requires skilled analysts and rich telemetry |
| Penetration Testing | Scheduled engagement | Identify exploitable vulnerabilities before attackers do | Point-in-time; does not catch active attackers |
The Detection Gap
The Hunting Loop
1. Create Hypothesis: Based on CTI (a new APT report, a newly published TTP, or an anomaly spotted in logs), form a specific, testable hypothesis. Example: "APT29 uses WMI for lateral movement — are there suspicious WMI process creations in our environment?"
2. Gather Data: Identify which data sources are relevant to the hypothesis. Endpoint logs, network flow data, DNS logs, proxy logs, firewall logs — collect the right telemetry for the specific TTP.
3. Investigate: Query and analyze the data. Look for patterns that match the hypothesis. Compare against baselines. Pivot from one data point to related data to build a complete picture.
4. Uncover: Either find evidence of a threat (escalate to incident response) or confirm the environment is clean for this TTP (valuable negative finding — document it).
5. Inform and Improve: Convert findings into new detection rules so the next occurrence is caught automatically. Feed results back into the intelligence program. Update threat models.
Data Sources for Hunting
The quality of a hunt is directly limited by the quality and completeness of available telemetry. A hunter who can only see firewall logs is working blind to endpoint activity. The ideal hunting environment provides visibility across all layers.
| Data Source | What It Shows | Key for Detecting |
|---|---|---|
| Endpoint logs (Sysmon, EDR) | Process creation, file writes, registry changes, network connections per process | Malware execution, persistence mechanisms, lateral movement tools |
| Windows Event Logs | Logon events (4624, 4625, 4648), PowerShell activity (4104), scheduled tasks (4698) | Credential theft, brute force, living-off-the-land attacks |
| Network flow data (NetFlow/IPFIX) | IP conversations, ports, bytes, duration — no payload content | Unusual connections, large transfers, beaconing patterns |
| DNS logs | Every DNS query made by every host | C2 domain lookups, DNS tunneling, newly registered domains |
| Proxy / web gateway logs | Full URLs, user agents, response codes for HTTP/HTTPS traffic | Malware download, C2 over HTTP, data exfiltration via web |
| NGFW / firewall logs | Session logs with App-ID, URL category, threat events | Policy violations, blocked threats, unusual application use |
| Authentication logs (AD, LDAP) | Login events, failed attempts, privilege use, Kerberos tickets | Pass-the-hash, Kerberoasting, credential stuffing |
Log Retention Matters
Hypothesis-Based Hunting with MITRE ATT&CK
MITRE ATT&CK is the most practical source of hunting hypotheses. Each technique entry includes a description of how attackers implement it, what data sources are relevant, and how to detect it. This gives hunters a structured starting point.
Building a Hunt from an ATT&CK Technique
Example: You have CTI indicating a threat actor targeting your industry uses T1059.001 (PowerShell) for execution. The hunt workflow:
ATT&CK technique: T1059.001 — Command and Scripting Interpreter: PowerShell. Adversaries use PowerShell to execute commands, download payloads, and interact with the Windows API.
Data sources: Windows Event Log 4104 (PowerShell script block logging), Sysmon Event ID 1 (process creation), EDR telemetry.
Hypothesis: Are there PowerShell processes spawned by unusual parent processes (Word, Excel, Outlook, browser) — indicating malicious macro or phishing-initiated execution?
Hunt query: Search for powershell.exe where ParentProcessName is winword.exe, excel.exe, or a browser. Any hit is high fidelity — this does not happen legitimately.
Common High-Value Hunt Hypotheses
| Hypothesis | ATT&CK Technique | Indicator to Look For |
|---|---|---|
| PowerShell spawned from Office app | T1059.001 + T1566 | powershell.exe parent: winword.exe, excel.exe |
| Scheduled task created by script | T1053.005 | Event 4698 or schtasks.exe in command line |
| LSASS memory access | T1003.001 | Process accessing lsass.exe with read permissions (Mimikatz pattern) |
| Large DNS TXT responses | T1071.004 | DNS responses > 512 bytes, high query rate to same domain |
| Outbound SMB to internet | T1021.002 | TCP 445 to non-RFC1918 destination |
| Service installation | T1543.003 | Event 7045 — new service created at unusual time |
| Encoded PowerShell commands | T1059.001 | -EncodedCommand or -enc in PowerShell command line |
SIEM Hunting Queries
Most enterprise hunting happens inside a SIEM (Security Information and Event Management) platform. The specific query language varies by product — Splunk SPL, Elastic KQL, Microsoft Sentinel KQL, QRadar AQL — but the underlying logic is the same.
Splunk SPL Examples
| PowerShell spawned from Office — hunt for phishing-initiated execution
index=windows EventCode=1
| where process="*powershell.exe*"
AND (parent_process="*winword.exe*" OR parent_process="*excel.exe*"
OR parent_process="*outlook.exe*")
| table _time, host, user, parent_process, process, command_line
| Encoded PowerShell detection
index=windows EventCode=4104
| where like(ScriptBlockText, "%-EncodedCommand%")
OR like(ScriptBlockText, "%-enc %")
OR like(ScriptBlockText, "%FromBase64String%")
| table _time, host, user, ScriptBlockText
| Large outbound DNS response (potential tunneling)
index=network sourcetype=dns
| where query_type="TXT" AND answer_length > 512
| stats count by src_ip, query
| where count > 10
| sort -countMicrosoft Sentinel / KQL Examples
// Detect base64-encoded PowerShell in process creation events
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("-EncodedCommand", "-enc ", "FromBase64String")
| project TimeGenerated, Computer, Account, CommandLine
// New scheduled task created outside business hours
SecurityEvent
| where EventID == 4698
| extend Hour = hourofday(TimeGenerated)
| where Hour < 7 or Hour > 20
| project TimeGenerated, Computer, Account, TaskName
// Outbound connection from PowerShell process
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where RemotePort in (80, 443, 8080, 8443)
| where not(ipv4_is_private(RemoteIP))
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteIP, RemotePortOperationalizing CTI — Turning Intelligence into Detections
Reading a CTI report and filing it away produces no security value. The goal is to convert every actionable piece of intelligence into a control or detection. This is called operationalizing CTI.
CTI Operationalization Workflow
Receive CTI: New report, IoC feed, ISAC bulletin, or internal hunt finding. Evaluate relevance — does this threat target our industry, region, or technology stack?
Extract IoCs: Pull IP addresses, domains, file hashes, URLs. Evaluate age and confidence — a 12-month-old IP from a criminal C2 may have been rotated away. Prioritize high-confidence, recent IoCs.
Block at controls: Push malicious IPs and domains to your NGFW, DNS security layer (e.g., PAN-OS DNS Security or Cisco Umbrella), and proxy. Import file hashes into EDR block lists.
Build detections: Convert TTPs and behavioral indicators into SIEM detection rules. These are more durable than IoC blocks — adversaries rotate IPs and domains, but TTPs change slowly.
Hunt historically: Query historical logs using the new IoCs and TTPs. Were you already compromised? Did this actor visit before the report was published?
Measure and tune: Track false positive rates on new rules. Too noisy and analysts ignore alerts. Too quiet and you are missing events. Tune until the rule is high-fidelity.
Pyramid of Pain Applied
The Pyramid of Pain (David Bianco, 2013) classifies indicators by how much pain it causes the adversary when defenders detect or block them. Operationalize from the top of the pyramid down:
| Indicator Type | Adversary Pain | Durability | Action |
|---|---|---|---|
| TTPs (techniques) | Very High — forces retooling | High | Build behavioral SIEM rules and hunting queries |
| Tools | High — must rebuild or find alternatives | High | Detect tool signatures, behavioral patterns, artifacts |
| Network/Host Artifacts | Moderate | Moderate | Monitor for C2 communication patterns, file paths, registry keys |
| Domain Names | Moderate | Low-Moderate | Block in DNS security, monitor for DGA patterns |
| IP Addresses | Low — easily rotated | Low | Block in firewall, but rotate quickly |
| Hash Values | Trivial — modify one byte | Very Low | Block in EDR, but do not rely on exclusively |
Building Detection Rules from CTI
A detection rule converts a threat behavior into an automated alert. Well-written rules are specific enough to be high-fidelity (low false positives) while broad enough to catch variations of the technique (not just one exact signature).
YARA Rule Construction
YARA rules match file characteristics — strings, byte patterns, and structural attributes. They are used in malware scanners, EDR, and sandbox tools.
rule Cobalt_Strike_Beacon_Generic {
meta:
description = "Detects common Cobalt Strike beacon patterns"
author = "Tacuns Academy"
confidence = "medium"
strings:
$cs1 = "%s (admin)" nocase
$cs2 = "beacon.x64.dll" nocase
$cs3 = "ReflectiveLoader" ascii
$cs4 = { 4D 5A 90 00 03 00 00 00 } // MZ header in shellcode
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 5MB and
2 of ($cs*)
}Sigma Rule Construction
Sigma is a vendor-agnostic rule format for SIEM detection rules. A Sigma rule can be compiled to Splunk SPL, Elastic KQL, Sentinel KQL, QRadar AQL, and others.
title: Suspicious PowerShell Encoded Command Execution
id: a7a5b4e7-c3d2-4f9e-8a1b-2e6d4c3b7f1a
status: stable
description: Detects PowerShell execution with encoded command argument
author: Tacuns Academy
date: 2026/05/01
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-enc '
- '-ec '
filter_legitimate:
ParentImage|endswith:
- 'msiexec.exe'
- 'sccm.exe'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate software deployment tools using encoded commands
level: highCTI in Incident Response
CTI and incident response are tightly coupled. CTI accelerates every phase of the incident response lifecycle by answering the "who" and "how" that raw forensic evidence alone cannot answer.
| IR Phase | CTI Contribution |
|---|---|
| Preparation | Threat modeling based on relevant adversaries. Pre-build playbooks for likely attack scenarios. Configure detections before compromise. |
| Detection & Analysis | Match observed IoCs against CTI feeds. Cross-reference TTPs with MITRE ATT&CK to identify attacker stage and likely next steps. |
| Containment | CTI tells you which C2 infrastructure to block, which tools to hunt for, and how the attacker typically pivots — enabling more complete containment. |
| Eradication | CTI attribution helps identify all persistence mechanisms the attacker group is known to use, reducing the risk of leaving backdoors behind. |
| Recovery | Understand attacker objectives — if the group is known for data theft, verify exfiltration scope. If ransomware, check for double-extortion staging. |
| Post-Incident | Contribute new IoCs and TTPs back to the CTI program. Update threat models. Share with ISACs to help peer organizations. |
Pivoting During Incident Response
Pivoting is the technique of using one piece of evidence to find related evidence. CTI provides the context that makes pivoting productive:
- You find a malicious IP in firewall logs → pivot to DNS logs to find all hosts that resolved the C2 domain → pivot to endpoint logs on those hosts to find the malware
- You find a suspicious file hash → search CTI platforms (VirusTotal, MISP) to find related samples → extract shared YARA strings → hunt for all variants across endpoints
- You find an anomalous scheduled task → check if the task name or binary matches known APT tooling → scope the compromise to all hosts with that task
- You find a lateral movement event → CTI attributes it to a group that uses Mimikatz → hunt all endpoints for lsass.exe memory access events from that time window
Threat Intelligence Platforms (TIPs)
A Threat Intelligence Platform is a tool that aggregates CTI from multiple sources, normalizes it into a common format (typically STIX), enriches IoCs with context, and distributes actionable intelligence to security controls and analyst workflows.
| Platform | Type | Key Features |
|---|---|---|
| MISP | Open-source | Community-driven IoC sharing, STIX/TAXII, correlation, event management |
| OpenCTI | Open-source | Graph-based relationship visualization, MITRE ATT&CK mapping, STIX 2.1 |
| ThreatConnect | Commercial | TIP + SOAR integration, team collaboration, automated enrichment |
| Anomali ThreatStream | Commercial | Large IoC feed aggregation, SIEM integration, actor tracking |
| Recorded Future | Commercial | Real-time threat intelligence, dark web monitoring, risk scoring |
| VirusTotal | Freemium | File/URL/IP/domain reputation, behavior analysis, YARA hunting |
STIX and TAXII
Measuring CTI Program Effectiveness
- Mean Time to Detect (MTTD) — did CTI-driven detections catch threats faster than before?
- Mean Time to Respond (MTTR) — did CTI context accelerate analyst investigation and containment decisions?
- IoC block rate — what percentage of known-bad IoCs were blocked before they reached endpoints?
- Hunt finding rate — how many hunts resulted in confirmed threat findings vs total hunts run?
- Detection coverage — what percentage of relevant ATT&CK techniques are covered by current detection rules?
- False positive rate — are new CTI-driven detections actionable, or drowning analysts in noise?
- Intelligence relevance — how much of consumed CTI directly applies to your industry and technology stack?
CTI Maturity
Course Complete