Plan a Hunt

When you hunt, careful planning is essential to maximize your time and find valuable results.

Set goals for a hunt

You must understand and articulate - in real language - what you want to search for.

First, determine what you want to search for:

  • Are you looking for characteristics - such as a specific file, certain IP addresses or domain names, or file hashes?

  • Are you searching for certain behaviors - such as processes launching certain types of child processes, processes behaving in uncharacteristic ways, and so forth?

Also, you can use a pyramid-based approach that works from general to specific.

  • If you focus on characteristics, at a general level, look for items like files, processes, file hashes, domain names, IP addresses, and so forth. At a more specific level, search for specific tools, such as Mimikatz or the PowerShell Empire framework.

  • When looking for behaviors, there are many broad approaches to take, such as looking for code injection, or processes running PowerShell. However, you can be very specific in your search. For example, search for behaviors like processes elevating child processes to a SYSTEM user level. The more specific you aim, the more meaningful results you receive and the more likely you will find something truly malicious.

The answers to these questions will help you start to plan your goals for a hunt.

After you consider your search criteria, then write and explain your search goal.

List your indicators of malicious behavior

Once you state your goal, you need to make a list of your indicators of how to find this goal. These indicators are the specifics you want to find:

  • For what items are you looking - Processes? Connections? Certain users or machines? These are starting point of the hunting query.

  • What are the characteristics of these items - such as file names, file hashes, reputations, and so forth

  • What are the behaviors of these items - are you looking for a process engaging in a certain behavior? Or a connection doing something specific?

  • Are there connections between different items - does a process open a connection? Does a machine have multiple users?

Next steps

Once you list the indicators you want to find, you are ready to build queries. You create queries to hunt for specific items and run these queries on a regular basis. Then, you analyze the results to see any evidence of malicious activity. See the Build a Query topic to learn how to construct queries.