How to use ATT&CK for threat hunting?

What is ATT&CK-Based Threat Hunting

Threat hunting is proactive searching for adversary activity in your environment before alerts detect it. Rather than waiting for detection tools to alert on suspicious activity, threat hunters systematically search for evidence of compromise.

MITRE ATT&CK provides the framework for systematic threat hunting. Rather than randomly searching for indicators of compromise, you can hunt for specific tactics and techniques documented in ATT&CK. This structured approach ensures comprehensive coverage and prevents important techniques from being overlooked.

ATT&CK-based hunting is more effective than indicator-based hunting. Indicators change constantly as attackers use new infrastructure and tools. Techniques remain relatively stable, making them better hunting targets. A technique like "Credential Dumping" remains relevant regardless of which specific tools attackers use.

The Threat Hunting Process Using ATT&CK

Effective threat hunting using ATT&CK follows a structured process:

Step 1: Define Your Hunting Scope

Start by identifying which tactics and techniques matter most for your organization. Consider:

• Your industry vertical (healthcare, financial, manufacturing, etc.)
• Common threats to organizations like yours
• Your asset criticality (which systems matter most?)
• Your current defensive capabilities (which techniques can you detect?)

This scoping prevents hunting from becoming overwhelming. Focus your efforts on the most important techniques first.

Step 2: Select Techniques to Hunt

From your scoped list, select specific techniques to hunt. Start with:

• High-impact techniques (those with serious consequences if successful)
• Common techniques (those frequently observed in attacks)
• Defensibility gaps (techniques you can't currently detect with tools)

Document which technique you're hunting and why it matters.

Step 3: Develop Hunting Hypotheses

For each technique, develop a hypothesis about how an attacker might implement it in your environment.

For example, hunting for Credential Dumping:

• Hypothesis: "An attacker might use lsass.exe dumping tools to extract credentials"
• Evidence: Process creation, memory access patterns, specific tool execution
• Indicators: Suspicious process parents, handle access to lsass, specific command lines

These hypotheses guide your search strategy.

Step 4: Establish Data Sources

Determine what data you need to hunt for each technique. ATT&CK documents Data Sources—the types of information needed.

For Credential Dumping, relevant data sources include:

• Process execution logs
• API/function calls (Windows API logging)
• File creation
• Memory access

Ensure your environment logs these data sources. If you're not logging necessary data, request it enabled.

Step 5: Create Hunting Queries

Translate hypotheses into queries against your actual logs and data sources.

Examples:

// Search for lsass access via handle
ProcessName:lsass.exe AND Action:OpenHandle AND SourceProcess:*

// Search for suspicious credential dumping tools
ProcessName:(mimikatz.exe OR procdump.exe OR gsecdump.exe OR wce.exe)

// Search for WMI Class Instantiation (common technique)
EventID:19 AND WmiOperationType:CreateInstance

The specific syntax depends on your SIEM or logging platform (Splunk, ELK, Sentinel, etc.).

Step 6: Execute Hunts

Run your queries against historical data. Searching a week of logs might yield results; searching months of logs reveals patterns.

Document what you find:

• When was the activity observed?
• Which systems were involved?
• What was the specific activity?
• Did multiple hunts return results (corroborating evidence)?

Step 7: Analyze Results

Not all results indicate compromise. Network administrators might legitimately access lsass for legitimate purposes. Distinguish between:

• Confirmed compromises (clear evidence of malicious activity)
• Suspicious activity (could be legitimate or malicious)
• Legitimate activity (confirmed to be normal operations)

Investigate suspicious activity more deeply before declaring it compromise.

Step 8: Create Detections

If your hunt discovers actual malicious activity, immediately create a detection rule to catch future instances. Transform hunting queries into production detections.

If you discover a technique you weren't detecting, add it to your detection program.

Step 9: Document and Share

Document your hunting methodology and results. Share findings with your team and leadership. Even hunts that find nothing are valuable—they document coverage and provide assurance.

Structured Threat Hunting Frameworks

Several published frameworks structure ATT&CK-based threat hunting:

The Hunting Maturity Model defines five maturity levels:

1. Reactive: Hunting only after detection
2. Incident-based: Hunting in response to specific incidents
3. Threat-based: Hunting based on known threat groups and campaigns
4. Hypothesis-driven: Proactive hunts based on hypotheses
5. Automation-assisted: Hunting assisted by automated analysis

Understanding your current level helps you improve.

The Cyber Kill Chain Hunting Approach maps hunts to kill chain phases:

• Reconnaissance hunts
• Weaponization hunts
• Delivery hunts
• Exploitation hunts
• Installation hunts
• Command and Control hunts
• Actions on Objectives hunts

This ensures coverage across the full attack lifecycle.

ATT&CK Navigator for Hunting

The MITRE ATT&CK Navigator visualization tool helps organize hunts:

1. Load the Navigator at navigator.mitre.org
2. For each technique you hunt, color it (e.g., green for hunted, red for gap)
3. Create separate Navigator views for:
   • Techniques you actively hunt
   • Techniques you can detect automatically
   • Techniques you're vulnerable to
   • Techniques used by your threat actors of interest

These visualizations help communicate coverage to leadership and identify gaps.

Industry and Threat-Specific Hunting

Different industries face different threats. Healthcare organizations shouldn't hunt the same techniques as financial institutions.

MITRE publishes industry-specific ATT&CK data. Research which techniques attack your industry and prioritize hunts accordingly.

Similarly, if specific threat groups target your organization, research their typical techniques and hunt for those first.

Hunting for Specific Threat Groups

When you suspect a specific threat group is active in your environment, hunt for their known techniques.

MITRE ATT&CK documents known threat groups and their techniques. If you suspect "FIN7" activity, review their documented techniques and hunt for evidence of each.

This threat group-based hunting is often called "campaignbased hunting."

Collaborative Threat Hunting

Organizations can share hunting ideas and results. Threat intelligence communities publish:

• Common hunts across industries
• Successful hunt methodologies
• ATT&CK coverage reports

Participating in these communities improves your hunting effectiveness.

Tools Supporting ATT&CK Hunting

Several tools support ATT&CK-based threat hunting:

Enterprise logging platforms (Splunk, ELK, Sentinel) support queries for hunting.

Endpoint Detection and Response (EDR) tools like CrowdStrike and Carbon Black enable hunting across endpoints.

Threat intelligence platforms map indicators to ATT&CK techniques.

YARA and Sigma are rule languages for expressing detection logic aligned with techniques.

Challenges in ATT&CK-Based Hunting

Data volume: Organizations generate enormous amounts of data. Finding needles in haystacks is difficult.

False positives: Legitimate activity might resemble malicious activity. Distinguishing them requires expertise.

Tool limitations: Not all systems log comprehensively. You might lack data for hunting specific techniques.

Expertise requirements: Effective threat hunting requires deep technical knowledge of systems, networks, and attack methods.

Time investment: Hunting is labor-intensive. Scaling hunting requires automation.

Automation in Threat Hunting

As you mature, automate repetitive hunts:

// Example automated hunt (pseudo-code)
FOR EACH technique IN prioritized_techniques:
    FOR EACH data_source IN required_data_sources:
        IF data_available:
            RUN hunting_query
            ANALYZE results
            CREATE alert IF suspicious
        ELSE:
            LOG "Data not available"

Automation handles routine hunts, freeing analysts for sophisticated analysis.

Measuring Hunting Effectiveness

Track:

• Techniques hunted
• Suspicious activity discovered
• Confirmed compromises
• Detection rules created
• Coverage progress

These metrics show hunting value and help justify program investment.

Conclusion

MITRE ATT&CK-based threat hunting transforms threat hunting from ad-hoc searching into systematic, repeatable processes. Select high-impact techniques, develop hypotheses, query relevant data sources, and analyze results. Use the ATT&CK Navigator to visualize coverage and identify gaps. Start with threat-specific and industry-specific techniques, then expand coverage. As your program matures, automate routine hunts. Effective threat hunting using ATT&CK provides assurance that you're proactively searching for sophisticated adversary activity rather than relying solely on automated detections.