Threat Hunting Hypothesis Examples: Five Hunts to Start Out

Introduction

Structured threat hunting (often referred to as hypothesis-based hunting) remains one of the best ways that organizations can find previously undetected threats in their environment. It works so well because it structures the hunt around a central proposition, and at the end of the hunt, hunt teams can say, with a high degree of certainty, whether their organization has been impacted by an adversary, behavior, or technique. Despite this, hunters often struggle with divining a hypothesis and building a hunt around it. As a result, we’ve put together a list of the best starter threat hunting hypothesis examples that teams can put into practice right away.

What is a Hunting Hypothesis?

Before we dive into list though, first we need to answer the question “what is a threat hunting hypothesis?”

Threat Hunting Hypothesis #1 — Potential Maldoc Execution Chain

Level of Complexity: Easy

Threat Hunting Hypothesis #2 — PowerShell Encoded Command Execution

Level of Complexity: Easy

Threat Hunting Hypothesis #3 — Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value

Level of Complexity: Medium

Threat Hunting Hypothesis #4 — Cobalt Strike Beacon Default C2 Structure

Level of Complexity: Medium

Threat Hunting Hypothesis #5 — LSASS Memory Dumping using WerFault.exe

Level of Complexity: Medium

Conclusion

Did you like these hypotheses? Get access to dozens more by signing up for a HUNTER account today. Get your free account here and use promocode ‘HUNTHYPOTHESIS.”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.