Threat Hunting Playbook — SOC Edition

A practical threat hunting playbook covering hypothesis building, data sources, SIEM query examples, MITRE ATT&CK hunt hypotheses, and documentation templates.

Category: SOC Playbooks
Applies to: SOC L2/L3 Analysts, Threat Intelligence, Detection Engineers
Last reviewed: 2025

Overview

Threat hunting is proactive search for threats that have bypassed automated detection. Unlike reactive alert triage, hunting starts with a hypothesis and uses data to confirm or disprove attacker presence. This playbook covers the hunt lifecycle, common hunt hypotheses, and data sources.

The Hunt Lifecycle

1. Define the Hypothesis

Every hunt starts with a question based on threat intelligence, recent incidents, or known attacker TTPs.

Good hypothesis format:

"Attackers using [technique] may have [action] in our environment, which would leave [observable evidence] in [data source]."

Examples:
- "A threat actor may have used Living-off-the-Land binaries to execute commands, which would leave LOLBin process events in EDR telemetry."
- "A compromised account may be performing reconnaissance using LDAP queries, visible in domain controller event logs."
- "A C2 beacon may be active using domain fronting, visible as periodic HTTPS connections to CDN providers in proxy logs."

2. Identify Data Sources

Hunt Focus Primary Data Sources Endpoint persistence EDR, Windows Event Log (7045, 4698, 4702) Credential access EDR, Event Log 4624/4625/4648/4776 Lateral movement Network flow, SMB/RDP/WMI logs, EDR C2 communications DNS logs, proxy logs, firewall, NetFlow Data exfiltration DLP, proxy, firewall outbound, cloud logs Living off the land EDR process telemetry, command line logging Persistence via registry EDR, Windows Registry audit logs

3. Build Hunt Queries

Write queries against your SIEM or data lake. Keep them focused.

Example SIEM queries (Splunk-style syntax for reference):

Hunt for LOLBin abuse:
process_name IN (certutil.exe, mshta.exe, regsvr32.exe, wscript.exe, cscript.exe, rundll32.exe) AND (command_line CONTAINS "http" OR command_line CONTAINS "download") | stats count by host, user, process_name, command_line

Hunt for suspicious scheduled tasks:
EventCode=4698 | rex field=TaskContent "<Command>(?<cmd>[^<]+)" | search cmd IN ("*.exe*","powershell*","cmd*","wscript*","mshta*") | table _time, host, user, TaskName, cmd

Hunt for beaconing (periodic connections):
index=proxy | stats count, avg(bytes_out), stdev(bytes_out) by src_ip, dest_domain, hour | where stdev(bytes_out) < 100 AND count > 20 | sort -count

4. Execute and Analyze

☐ Run queries across the defined time window (start with last 30 days)
☐ Filter out known-good baselines: IT tools, monitoring agents, known software
☐ Focus on outliers: unusual command lines, rare parent-child relationships, new domains
☐ Pivot on interesting findings: if a host looks suspicious, expand the time window and look at all activity from that host
☐ Document every query run and results found — even negative results

5. Findings Classification

Finding Action Confirmed attacker activity Open P1 incident, escalate to IR Suspicious — needs more investigation Continue hunting, escalate to L3 Gap identified — blind spot in detection Create new detection rule False positive pattern identified Tune existing detection rule No findings Document as negative hunt, retain queries for future use

Common Hunt Hypotheses by MITRE ATT&CK

Initial Access

Phishing links clicked by users in proxy logs
Exploit traffic against public-facing services in WAF/IDS logs

Execution

Unusual PowerShell execution (encoded commands, download cradles)
WMI subscription-based persistence
LOLBins used for execution (certutil, mshta, regsvr32)

Persistence

New scheduled tasks created outside change window
New services installed on endpoints
Suspicious registry run keys added
New local admin accounts created

Defense Evasion

Log clearing events (Event ID 1102, 104)
Process injection into legitimate processes (svchost, explorer)
Timestomping (file modification time inconsistent with creation time)
Disabling security tools or services

Credential Access

LSASS memory access from non-system processes
Kerberoasting: unusual TGS requests for service accounts
Password spray: multiple failed logins across many accounts in short window
DCSync: DRSUAPI replication calls from non-DC hosts

Lateral Movement

Unusual SMB connections between workstations
PsExec or WMI execution from one host to another
RDP logins from unusual source hosts
Pass-the-hash: NTLM authentication from unexpected systems

Exfiltration

Large DNS query volumes to new domains
Unusual HTTPS upload volumes to cloud storage (Dropbox, OneDrive, mega.nz)
Compressed archive creation followed by outbound transfer

Hunt Documentation Template

Hunt ID: HUNT-YYYY-MM-DD-NNN
Analyst: [Name]
Date: [Date]
Hypothesis: [Your hypothesis statement]
Data Sources Used: [SIEM, EDR, DNS logs, etc.]
Time Window Searched: [e.g. Last 30 days]
Queries Run: [Attach or paste queries]
Findings: [What you found]
Conclusion: [Confirmed / Suspicious / No findings]
Actions Taken: [Incident opened / Rule created / No action]
Recommendations: [Detection gaps, tuning suggestions]

Tools Reference

Tool Use SIEM (Splunk, Sentinel, Elastic) Log search and correlation EDR (CrowdStrike, SentinelOne, Defender) Endpoint telemetry and process trees MITRE ATT&CK Navigator Visualize coverage and gaps VirusTotal, Shodan External indicator enrichment Velociraptor Live endpoint forensic queries Zeek / Suricata Network-level hunting