█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Threat Hunting
50 minAdvanced

Threat Hunting

After this lesson, you will be able to: Run hypothesis-driven hunts using SIEM/log data to find hidden threats.

Detection waits for alerts. Hunting starts with a hypothesis ('attackers using PowerShell base64 encoding'), forms a query, and looks for matches that aren't already alerted on. It's TI in action.

Prerequisites:Open Source Intelligence (OSINT)

Hunt loop

Hypothesis → Query → Investigate hits → Conclude (TP/FP/new detection) → Document → Repeat. Each hunt should produce either a finding OR a new automated detection.

💡 Where hypotheses come from

TI report on a campaign. MITRE ATT&CK technique you don't have detection for. Recent breach in your industry. Anomaly you noticed but couldn't explain. Curiosity.

Splunk hunt example

Hypothesis: PowerShell base64 encoded commands (T1059.001):

tsx
index=windows EventCode=4104
| where match(ScriptBlockText, "(?i)(FromBase64String|-EncodedCommand|-enc )")
| stats count by Computer, User, ScriptBlockText
| sort - count

Pyramid of Hunting

Atomic indicators (low value) → Computed indicators → Behavioral patterns (high value). Hunt at the behavioral level. TTPs are stable, atomic IoCs decay.

Documentation

  1. 1

    Every hunt: hypothesis, query, time range, data sources, result, action taken. Even 'no findings' is valuable, proves you looked.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Open Source Intelligence (OSINT)
Back to Threat Intelligence
Building a Threat Intelligence Program→