Cyber threat hunting is a proactive offensive approach to cyber defense. Threat hunters iteratively scan through networks to detect indicators of compromise and APT threats. Threat hunters are skilled enough to recognize, isolate, and diffuse APTs that aren’t detected by security monitoring tools. This can include outside intruders or insider threats by employees. Cyber threat hunters must specifically which threat actor they are trying to find.
One indicator of C2 communication is frequent communications between Telegram and Discord coupled with an API call to an IP lookup service at the beginning of the traffic.[^3] You should also look for uncommon User Agents.[^3] Software that spawns other processes or Windows processes that have an unusual parent application should also be suspect.[^3] You can look for processes that contain metadata that have spelling mistakes, or binaries that are not signed by Microsoft.[^3] Pivoting from one node to anothercan reveal the threat actor’s cluster infrastructure.
You should pay attention to port numbers, patterns, tool names, hosting ASNs and TLS certifiations. Once you found a node, you can pivot to other nodes by searching for the SSH key fingerprinting, and ASN. Indicators of related domains include: shared historical web hosting servers across all domains, common naming conventions in registrant emails, same wordpress software/theme, anonymous staff writers, hard-coded weather widgets, broken social media links, and solicitations for content and news tips.[^4] You can identify relevant code in a file, extract only the interesting strings, create a whitelist database from strings of clean fles, extract the interesting strings from a new sample that is not in the whitelist database, and then make a Yara rule from that.[^5] When you are looking for attribution for a cyber event, you may need to look back on historical data from 10 years earlier, or even more.[^5]
You can use tools such as Scrapy, ELK Stack, MISP, and YARA. You can use similarity of build path strings and code structure to identify software developed by the same developer.[^6] Your reports should give a date, hashes for processed files, domains tied to the hashes, and IP addresses tied to the domains, followed by granular details such as yara rules. You must show your work just like a math problem. Infected files in an infrastruture may have the same GUID number.[^7] Cyber threat hunting is the ability to search through network and configuration data to identify events and misconfigurations that would indicate malicious activity.[^8] Threat hunting requires visibility into your network.[^8]
It requries pulling data from multiple disparate systems to answer specific questions.[^8] In cyber threat hunting, you assume that a compromise has already happened.[^8] Threat Hunting involves gathering intelligence on adversary behavior and recent activity.[^8] Threat hunters only need to be right once in an investigation.[^10] Some things that you might consider collecting during a hunt are: system memory, live response data, pagefiles, $MFT files, Windows event logs, and Registry hives.[^11]
[[Network Traffic Analysis]] – used in Cyber threat hunting
[[Social Engineering]] – You may not get to what is happening with a scam until you start to engage with the scammers
[[Linkage Blindness]]
[[Scrapy]] – Python scraping tool
[[ELK Stack]]
[[MISP]]
[[Yara Rules]] – can be used for threat hunting
Honeypot – can be used for threat hunting
Backlinks
[[APT Groups]]
[[Cyber Threat Intelligence]]
Indicators of Compromise
[[Insider Threats]]
IP Addresses
[[TLS Certificate Matching]]
[[User Agent Strings]]
[[Yara Rules]]
Sources
[1]sanog_orgThreatHunting
[2] “Memetic Warfare 2: Electric Boogaloo,” Memeticwarfare. [Online]. Available: https://www.memeticwarfare.io/p/memetic-warfare-2-electric-boogaloo
[3] J. Hanrahan, “The Dragos Blog 03.02.23 | 4 min read Instant Messaging-Based Adversarial C2 Techniques and How to Detect Them,” Dragos Blog. [Online]. Available: https://www.dragos.com/blog/how-to-detect-adversarial-c2-techniques-in-instant-messaging/
[4] “Iranian IO Domains – Sneek Peak,” Memeticwarfare. [Online]. Available: https://www.memeticwarfare.io/p/iranian-io-domains-sneak-peek
[5] “Area41 2018: Constin Raiu: Keynote,” Jun. 15, 2018. [Online]. Available: https://www.youtube.com/watch?v=jeLd-gw2bWo
[6] “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” Aug. 2025. [Online]. Available: https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
[7] “Fox Kitten Campaign.” Feb. 2020. [Online]. Available: https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
[8]“Introduction to Threat Hunting,” 2023. [Online]. Available: https://apps.dtic.mil/sti/trecms/pdf/AD1214459.pdf
[9]Defcon33Dingledine
[10] “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access,” Dec. 05, 2024. [Online]. Available: https://www.youtube.com/watch?v=OmrzQ2dfaGY