How to Become a Threat Hunter

Morning starts with threat intelligence review. You track adversary groups relevant to your industry and tech stack. A new Mandiant report describes a financially motivated group using a novel DLL sideloading technique: they hijack a legitimate signed application to load an unsigned DLL from an unusual directory path, then establish C2 through cloud infrastructure during business hours to blend with normal traffic.

You form a hunt hypothesis: if this group is in your environment, you would see the legitimate application loading an unsigned DLL from outside its normal install directory, followed by outbound connections to cloud endpoints that do not match the application's expected communication profile. You translate this into Splunk queries, searching three weeks of endpoint telemetry for the specific process-to-DLL loading relationship. The initial query returns 4,000 results.

You refine: exclude known DLL paths documented in your software inventory, filter for unsigned modules, correlate with network connection data from the firewall logs. Seventeen suspicious instances across four endpoints remain. You investigate each. Fifteen are legitimate software behavior that your baseline documentation missed. You update the baseline. The remaining two warrant deeper analysis. You pull full process trees, review network connections, and examine file metadata.

One is a developer testing tool with an unusual install path. The other reveals a previously undetected backdoor that has been dormant for three weeks. You document the finding, create Sigma detection rules to catch this technique going forward, and hand the case to the IR team for scoping. Between hunts, you maintain your hypothesis library: documented hunts, queries, and results the team can reference and re-run as threat intelligence evolves.

You also run baseline analysis on normal environment patterns so anomalies stand out clearly in future hunts.