Sort your results to find unique command strings that have run only once or twice across the entire company over the last 30 days. Step 4: Respond, Automate, and Document
[Raw Data] ➔ [Information] ➔ [Intelligence] ➔ [Actionable Security Action] The Three Levels of Threat Intelligence
Active Directory logins, Kerberos ticket requests, OAuth grant allocations, and multi-factor authentication (MFA) failures or bypass attempts. Sort your results to find unique command strings
To help tailor more advanced hunting content for your specific environment, let me know:
Details regarding specific inbound campaigns, actor capabilities, and the Tools, Techniques, and Procedures (TTPs) favored by threat groups. Threat hunting is a focused, human-led process of
Threat hunting is a focused, human-led process of proactively searching through endpoints, networks, and cloud environments to detect malicious activities that have already evaded automated security defenses.
If a compromise is uncovered, immediately transition to the Incident Response (IR) playbook to isolate the host. If no compromise is found, document the hunt, refine the query criteria, and convert the logic into a permanent automated alert within your SIEM. Open-Source Tooling for Threat Intelligence and Hunting Open-Source Tooling for Threat Intelligence and Hunting ▲
▲ / \ TTPs (Tactics, Techniques & Procedures) - Toughest to change / \------------------------------------------------------------- / \ Tools - Challenging to replace / \----------------------------------------------------------- | Network/Host Artifacts - Annoying to fix |------------------------------------------------------------------- | Domain Names - Simple to swap |------------------------------------------------------------------- | IP Addresses - Easy to change |------------------------------------------------------------------- | Hash Values - Trivial to modify └───────────────────────────────────────────────────────────────────
Whether you want to focus on (AWS, Azure) or traditional on-premise Active Directory environments ? Share public link