Hunting Techniques

Effective hunting requires understanding what attackers do and where evidence appears. This lesson covers hunting techniques for common attack phases: persistence establishment, credential theft, and lateral movement.

Hunting for Persistence

Attackers establish persistence to survive reboots and maintain access. Common mechanisms leave discoverable traces:

Scheduled tasks - Query Task Scheduler logs or enumerate registered tasks. Look for recently created tasks, unusual executable paths, or tasks running under privileged accounts.

Registry run keys - Examine HKLM\Software\Microsoft\Windows\CurrentVersion\Run and similar locations. New entries or modifications to existing entries warrant investigation.

Services - New services or modifications to existing ones can hide backdoors. Look for services with unusual binaries, random names, or running from temp locations.

Startup folders - Files in startup folders execute at logon. Simple but still effective.

WMI persistence - Event subscriptions can trigger arbitrary execution. Less visible than registry-based methods.

Hunting for Credential Theft

Credential access enables further compromise. Hunting focuses on tool usage and access patterns:

LSASS access - Legitimate processes rarely access LSASS memory. Detections of Mimikatz often key on LSASS access patterns.

NTDS.dit access - Domain controller database contains all hashes. Copy attempts indicate domain-wide credential theft.

Kerberos patterns - Kerberoasting requests encryption types attackers can crack. Golden ticket attacks produce tickets with distinctive characteristics.

SAM database access - Local credential database access outside normal contexts.

Hunting for Lateral Movement

Movement between systems uses legitimate protocols with malicious intent:

SMB activity - File sharing protocols also enable remote execution. Unusual sharing patterns, remote service creation, or file staging across shares indicate movement.

Remote execution - PsExec, WMI, WinRM, and PowerShell remoting all enable remote code execution. Baseline normal usage to identify anomalous patterns.

RDP sessions - Remote desktop to servers from workstations, especially outside normal patterns.

Authentication patterns - Same account authenticating across many systems rapidly. Unusual source-destination pairs.

Analyzing Results

Hunt results rarely produce clean "definitely malicious" conclusions. Analyze findings in context:

• Is this behavior expected for this user/system?


• What preceded and followed this activity?


• Does the pattern match known attack techniques?


• What alternative explanations exist?

Document findings regardless of conclusion. Future hunts benefit from knowing what you investigated and what you learned.