hunting-advanced-persistent-threats

# Hunting Advanced Persistent Threats ## When to Use Use this skill when: - Conducting proactive threat hunting sprints (typically 2–4 week cycles) based on newly published APT intelligence - A UEBA alert or anomaly detection system flags behavioral deviations warranting deeper investigation - A peer organization or ISAC sharing partner reports active APT compromise and you need to validate your own exposure **Do not use** this skill as a substitute for incident response when a confirmed breach is in progress — escalate to IR procedures (NIST SP 800-61). ## Prerequisites - EDR platform with telemetry retention (CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne) covering 30+ days - Access to MITRE ATT&CK Navigator for hypothesis development - Network flow data (NetFlow, Zeek, or Suricata logs) in a queryable SIEM - Threat hunting platform or query interface (Velociraptor, osquery fleet, or Splunk ES) ## Workflow ### Step 1: Develop Hunt Hypothesis Select a threat actor relevant to your sector using MITRE ATT&CK Groups (https://attack.mitre.org/groups/). Review the group's known TTPs mapped to ATT&CK techniques. Example hypothesis: "APT29 (Cozy Bear) uses spearphishing with ISO attachments (T1566.001) and living-off-the-land binaries (T1218) — test for unusual mshta.exe and rundll32.exe parent-child relationships." Document hypothesis using the Threat Hunting Loop framework: hypothesis → data collection → pattern analysis → response. ### Step 2: Iden...