threat-hunter
Threat Hunter — Automated Threat Hunting Specialist
Role
The Threat Hunter conducts proactive, hypothesis-driven hunts across all log sources to detect adversaries who have evaded automated detection. This skill applies ATT&CK frameworks, threat intelligence, and behavioral analytics to find threats before they cause damage.
Phase 1 — Hunt Hypothesis Generation
Hypothesis sources (priority order):
- Latest MITRE ATT&CK updates and newly mapped techniques
- CISA Known Exploited Vulnerabilities (KEV) relevant to environment
- Threat intelligence from ISACs, FS-ISAC, H-ISAC, sector-specific feeds
- Recent incidents at peer organizations (OSINT, ISAC sharing)
- Anomalies flagged by UEBA/ML that didn't trigger alerts
- Red team / pen test findings that detection missed
- Newly published threat actor TTPs (APT reports, vendor research)
Hypothesis format:
Hunt ID: HUNT-[YYYY]-[NNN]
Date: [Date]
Analyst: [Name]
Hypothesis: "If [threat actor/technique] is present, we would see [observable]
in [data source] because [rationale]."
ATT&CK Map: [Tactic / Technique / Sub-technique]
Data Sources: [Log type, SIEM index/table]
Priority: Critical / High / Medium
Status: Active / Completed / Escalated
Phase 2 — Hunt Execution (by Technique Category)
Initial Access Hunts:
// Phishing: Suspicious email attachments with Office macro execution
DeviceFileEvents
| where FileName endswith ".xlsm" or FileName endswith ".docm"
| join DeviceProcessEvents on DeviceId
| where InitiatingProcessParentFileName has_any ("WINWORD.EXE","EXCEL.EXE")
and FileName in~ ("cmd.exe","powershell.exe","wscript.exe","cscript.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
// Drive-by: Browser spawning unexpected child processes
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("chrome.exe","firefox.exe","msedge.exe")
and FileName in~ ("cmd.exe","powershell.exe","mshta.exe","wscript.exe")
| where not(ProcessCommandLine has_any ("--type=","extension","update"))
Persistence Hunts:
// Registry Run key modifications (T1547.001)
DeviceRegistryEvents
| where RegistryKey has_any ("\\Run","\\RunOnce","\\RunServices")
and ActionType == "RegistryValueSet"
and InitiatingProcessFileName !in~ ("msiexec.exe","setup.exe","install.exe")
| summarize count() by RegistryValueData, InitiatingProcessFileName, DeviceName
// Scheduled task creation with suspicious commands (T1053.005)
DeviceProcessEvents
| where FileName == "schtasks.exe"
and ProcessCommandLine has_any ("powershell","cmd /c","wscript","mshta","regsvr32")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
Credential Access Hunts:
// LSASS memory access (T1003.001)
DeviceEvents
| where ActionType == "CreateRemoteThreadApiCall"
and InitiatingProcessFileName !in~ ("MsSense.exe","csrss.exe","werfault.exe")
and FileName == "lsass.exe"
// Kerberoasting: Large volume of TGS requests (T1558.003)
SecurityEvent
| where EventID == 4769 and TicketEncryptionType == "0x17"
| summarize count() by Account, ServiceName, bin(TimeGenerated, 5m)
| where count_ > 10
Lateral Movement Hunts:
// Pass-the-Hash / Pass-the-Ticket indicators (T1550)
SecurityEvent
| where EventID == 4624 and LogonType == 3 and AuthenticationPackageName == "NTLM"
and WorkstationName != TargetDomainName
and TargetUserName !endswith "$"
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 1h)
| where count_ > 5
// Unusual WMI lateral movement (T1021.006)
DeviceProcessEvents
| where InitiatingProcessFileName == "wmiprvse.exe"
and FileName in~ ("cmd.exe","powershell.exe","net.exe","whoami.exe")
| project Timestamp, DeviceName, ProcessCommandLine
Exfiltration Hunts:
// Unusual outbound data volume (T1048)
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and Direction == "Outbound"
and RemoteIPType == "Public"
| summarize TotalBytes = sum(SentBytes) by RemoteIP, DeviceName, bin(Timestamp, 1h)
| where TotalBytes > 100000000 // >100MB in 1 hour
| join (ThreatIntelligenceIndicator | where ThreatType == "ip") on $left.RemoteIP == $right.NetworkIP
// DNS exfiltration: Abnormally long DNS queries (T1048.003)
DnsEvents
| where QueryType == "A" and strlen(Name) > 100
| extend DomainParts = split(Name, ".")
| where array_length(DomainParts) > 5
Phase 3 — IOC Sweep Playbook
Weekly IOC sweep process:
1. Pull latest IOC feeds:
- CISA Alerts and IOC lists
- FS-ISAC / H-ISAC TLP:WHITE/GREEN indicators
- Commercial threat intel (Recorded Future, CrowdStrike, Mandiant)
- MISP community feeds
2. IOC categories to sweep:
- IP addresses (firewall/proxy logs, 90 days)
- Domain names (DNS logs, proxy logs, 90 days)
- File hashes (MD5/SHA256 — endpoint EDR telemetry, 90 days)
- URLs (web proxy, email gateway logs)
- Email sender domains/addresses (email security logs)
- Certificate hashes (network SSL inspection logs)
- YARA rules (endpoint file system scans)
3. Positive match actions:
- Immediate: isolate affected endpoint
- Notify: security-operations → incident-responder
- Document: create incident ticket with IOC match details
- Threat intel: report new IOC if not in feeds (contribute back)
Phase 4 — Adversary Emulation (Purple Team)
Quarterly purple team exercise structure:
Week 1: Planning
- Select 3–5 ATT&CK techniques based on recent threat intel
- Map to relevant log sources and detection rules
- Brief SOC team on exercise (NOT the specific techniques)
- Define success criteria: detection rate, alert time, response time
Week 2: Execution
- Red team executes techniques in production (agreed scope)
- Blue team monitors and responds normally (no foreknowledge)
- Log all actions (timestamp, technique, tool used, target system)
Week 3: Analysis
- Review: detected vs. undetected techniques
- Gap analysis: missing log sources? Tuning needed? Coverage gaps?
- Document detection improvements needed
Week 4: Remediation
- Implement new detection rules for missed techniques
- Tune existing rules to reduce false negatives
- Update hunt hypotheses backlog
- Report to CISO: detection coverage improvement
Phase 5 — Threat Intelligence Integration
TI consumption pipeline:
Sources → Normalization → Enrichment → Action
Sources:
- STIX/TAXII feeds (automated ingestion into SIEM/SOAR)
- ISAC sharing (sector-specific, TLP-controlled)
- Commercial platforms (API integration)
- OSINT (manual curation, analyst-curated)
Normalization:
- Deduplicate across feeds
- Apply confidence scoring (high/medium/low)
- Assign TLP classification (RED/AMBER/GREEN/WHITE)
- Tag with relevant ATT&CK techniques
Action Thresholds:
- High confidence IOC: auto-block in firewall/EDR + alert
- Medium confidence: alert only + investigate within 24h
- Low confidence: watchlist; alert on additional corroboration
- Expired IOC (>90 days old for IPs, >365 days for domains): archive
Phase 6 — Hunt Outputs & Metrics
Hunt report format:
Hunt ID: [HUNT-YYYY-NNN]
Hypothesis: [Statement]
Duration: [Start – End]
Data Searched: [Sources, time range, record count]
Findings: [Confirmed / Suspected / No findings]
ATT&CK Coverage: [Techniques hunted]
True Positives: [N incidents identified]
False Positives: [N benign anomalies reviewed]
New Rules: [Detection rules created from hunt]
Improvements: [Log gaps identified, tuning recommendations]
Monthly threat hunting KPIs:
| Metric | Target |
|---|---|
| Hunts completed per month | ≥8 (2 per week) |
| Techniques covered (ATT&CK) | ≥80% of critical techniques annually |
| True positives found via hunting | Track (any finding = success) |
| New detection rules from hunts | ≥4 per month |
| IOC sweep coverage | 100% of latest feed within 48h |
| Mean dwell time (hunted threats) | <72h post-detection |
More from aviskaar/open-org
cfo-finance
Use this skill when a CFO, VP Finance, Controller, or Head of Finance needs to orchestrate the full financial operations of a company — from strategic financial planning and investor reporting to day-to-day control of accounts payable, accounts receivable, payroll, tax compliance, and revenue operations. This is the top-level financial orchestrator that commissions all finance sub-skills, maintains the single source of truth for all company numbers, drives budget allocation, manages cash flow, ensures regulatory compliance, and produces board-ready financial reports. Trigger this skill when anyone needs a comprehensive view of company finances, a board pack, a fundraising data room, or needs to coordinate across invoicing, payroll, commissions, procurement, taxes, and expenses simultaneously.
47payroll-compensation
Use this skill when a VP Payroll, Head of People Operations, or Payroll Manager needs to manage all employee and contractor compensation flows — including payroll runs, salary administration, statutory deductions, benefits administration, equity grants and vesting, variable pay bonuses, contractor invoice processing, and full payroll compliance across jurisdictions. This skill orchestrates the salary management sub-skill. Trigger when running payroll, onboarding employees with compensation packages, processing salary changes, calculating bonuses, managing equity schedules, processing contractor payments, handling payroll tax filings, or producing total compensation reports for People and Finance leadership.
24accounts-payable
Use this skill when a VP Accounts Payable, AP Manager, Controller, or Finance Operations Manager needs to manage all outgoing payment flows — including vendor invoice processing, purchase order generation and three-way matching, vendor onboarding and management, employee expense reimbursements, and payment scheduling. This skill orchestrates purchase order management and expense management sub-skills. Trigger when processing vendor bills, approving purchase orders, managing vendor master data, running payment batches, processing employee reimbursements, or producing AP aging and cash disbursement reports.
5tax-compliance
Use this skill when a VP Tax, Tax Manager, Controller, or Finance Director needs to manage all tax obligations of a company — including corporate income tax, GST/VAT/Sales Tax, payroll taxes, transfer pricing, R&D tax credits, and multi-jurisdictional tax compliance. Trigger when computing tax provisions, preparing tax filings, responding to tax authority notices, evaluating tax implications of business decisions (new geographies, M&A, restructuring), managing indirect taxes on invoices, or producing the tax compliance calendar with all deadlines for the CFO and board.
4invoice-management
Use this skill when an AR specialist, billing analyst, revenue operations manager, or finance team member needs to generate, dispatch, track, and collect on customer invoices. Covers the full invoice lifecycle: creation from contract/PO/delivery data, formatting and dispatch, payment tracking, AR aging management, collections follow-up, credit notes, and invoice reconciliation. Trigger when creating a new invoice, checking payment status, managing overdue accounts, issuing credit memos, or producing AR aging reports.
4account-intelligence
Use this skill when a product firm, consulting firm, system integrator, or federal contractor needs to research a target company or government agency and produce an executive-grade Account Intelligence Report as a formatted .docx file. Handles any industry vertical — Life Sciences, Financial Services, Healthcare, Manufacturing, Energy, Retail, Technology, Federal/Government, and more. Fully automates the pursuit research and document generation process. Includes AI Agentic Solutions vision, IP and Research Opportunity mapping, and high-definition charts and visual dashboards.
3