Threat Hunting With Logs: Practical Queries for Common Attack Patterns

Logs Tell the Story

Every attack leaves traces in logs if you know where to look. Threat hunting with logs is the art of asking the right questions of your data to uncover malicious activity that automated alerts missed. This article provides practical queries for common attack patterns that you can adapt to your SIEM.

Hunting for Lateral Movement

Search authentication logs for accounts that logged into machines they have never accessed before. Look for the use of administrative tools like PsExec, WMI, and remote PowerShell from workstations that are not typically used for administration. Query for service installations and scheduled task creation on multiple machines within a short time window. These patterns often indicate an attacker moving through your network.

Hunting for Persistence

Attackers need to survive reboots. Search for new scheduled tasks, services, and registry Run key entries created in the past week. Query for modifications to startup folders and Group Policy login scripts. Look for new DLLs loaded by common processes - DLL search order hijacking is a popular persistence technique. Compare current persistence mechanisms against a known-good baseline to identify additions.

Hunting for Data Exfiltration

Monitor for unusually large DNS queries (potential DNS tunneling), connections to cloud storage services from servers that should not need them, and large outbound data transfers during off-hours. Look for compression utility usage (zip, rar, 7z) followed by network transfers. Track the volume of data leaving your network daily and investigate significant deviations from the baseline. True Protection feeds endpoint telemetry into your SIEM to enrich these hunting queries with process-level context.