Stats
Actions
Tags
From cybersecurity-skills
Proactive, hypothesis-driven threat hunting using the PEAK framework (Prepare, Execute, Act, Knowledge). Searches SIEM/EDR logs for adversaries who evaded existing detections, with ATT&CK-based methodology and pivot patterns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:threat-huntingThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Hunt for adversaries who are already inside but haven't tripped an alert. Distinct from `incident-triage` (reactive, alert is firing) and from `siem-detection` (engineer rules so future alerts fire). This skill is the *proactive* layer — assume something has slipped through, look for it.
Hunt for adversaries who are already inside but haven't tripped an alert. Distinct from incident-triage (reactive, alert is firing) and from siem-detection (engineer rules so future alerts fire). This skill is the proactive layer — assume something has slipped through, look for it.
Hunting is hypothesis-driven, not browse-driven. "Let's look around the SIEM" is not hunting; "let's check for the specific pattern of T1059.001 (PowerShell) being launched by Office processes" is.
Cross-references: siem-detection (queries you write here often graduate to detection rules), incident-triage (what to do if a hunt confirms a finding), breach-patterns (a rich source of hunt hypotheses), disk-forensics (deeper analysis on confirmed hits).
The PEAK (Prepare, Execute, Act, Knowledge) framework from Splunk SURGe — the most actionable hunting methodology I've seen.
Form the hypothesis. Strong hypotheses share three properties:
Bad hypothesis: "Look for anomalies in the SIEM"
Good hypothesis: "Within the last 30 days, no service account should have run interactive PowerShell with -encodedCommand flag (T1059.001 + T1027). Search Sysmon event 1 for parent process = service-account-launched scheduled task, child = powershell.exe, command line contains -enc or -encodedcommand."
Hunt hypothesis sources, ranked by yield:
| Source | Yield | Effort |
|---|---|---|
| Recent incident (yours or peer's) | High | Low — pattern is concrete |
breach-patterns skill catalog | High | Low — generalizes from public breaches |
| MITRE ATT&CK technique you don't have a detection for | Medium | Medium — read the technique, design the hunt |
| Threat intel report (CrowdStrike, Mandiant, vendor reports) | Medium | Medium — current patterns |
| Anomaly: "this number went up — why" | Low | Low — often FP, occasionally gold |
Run the hunt. Three execution patterns:
Pattern A — Pivot from indicator. Start with a specific IOC (IP, hash, domain) and look for any host or user that touched it.
// Sentinel — pivot from a suspicious IP across all log sources
union *
| where TimeGenerated > ago(90d)
| where contains("198.51.100.42")
| project TimeGenerated, Type, Computer, _ResourceId
Pattern B — Pivot from technique. Start with an ATT&CK technique and look for any host doing that.
// Splunk — T1547.001 Registry Run Keys persistence
index=sysmon EventCode=13
TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"
| stats values(Details) by Computer, User
| where len(values(Details)) > 1
Pattern C — Anomaly hunt. Establish a baseline; look for outliers.
// Sentinel — service accounts authenticating from new geographies
SigninLogs
| where TimeGenerated > ago(30d)
| where UserType == "Service"
| summarize Countries = make_set(Location) by UserPrincipalName
| where array_length(Countries) > 1
For every hit, three possible outcomes:
| Outcome | Action |
|---|---|
| Confirmed malicious | Escalate to incident-triage immediately |
| Confirmed benign | Document and move on |
| Unknown / unable to confirm | Deepen investigation (host artifacts, network traffic, user interview) |
Don't leave hits in the "unknown" state. Either resolve, or hand off with a documented next-step.
The hunt's value isn't the one hit — it's the artifacts.
For each hunt:
siem-detection)Hunts that don't produce artifacts are work without compounding return. The whole point of the methodology is to turn every hunt into either a rule, a documented dead-end, or a coverage improvement.
schtasks.exe /create from Sysmon event 1 + EventCode 4698 from Windows SecurityHKCU\...\Run, HKLM\...\Run, HKCU\...\RunOnce__EventFilter and CommandLineEventConsumer subscriptions/Library/LaunchDaemons/*.plist, ~/Library/LaunchAgents/*.plist/etc/cron.*, /etc/systemd/system/*.timer, user crontabs-EncodedCommand — base64-encoded scripts are evasion 80% of the timecertutil.exe -decode — LOLBin used to decode dropper payloads%TEMP%, %APPDATA%, \Users\Public — non-standard exec paths^, backticks, cmd /c echo y | ...lsass.exe and SourceImage not in [mssense.exe, NisSrv.exe, ...]procdump.exe or comsvcs.dll use — process-dumping LOLBinsGetSessionToken or AssumeRole from new IPs — credential capture pivotiam-auditnet group "Domain Admins" or equivalent enumeration commandswhoami /all, quser, nltest /domain_trusts — situational awareness commands run by service accounts (humans rarely run these)ListBuckets, ListUsers, DescribeInstances from unusual principalswmic.exe or Invoke-WmiMethodAssumeRole chains across accounts — pivot detectionCompress-Archive, 7z.exe, tar, zip operating on directories outside user homeGetCredentialReport, GenerateCredentialReport from unusual principals169.254.169.254 that isn't the cloud SDKStopLogging, DeleteTrail, log-bucket access from non-logging principals# Threat Hunt Report
## Hunt name: [descriptive — e.g., "Office process → encoded PowerShell"]
## Hypothesis: [specific, testable, bounded]
## Date range: [from - to]
## Hunter: [name]
### Methodology
- ATT&CK technique(s): [TXXXX.NNN]
- Data sources queried: [list]
- Query / queries:
[the actual SIEM query]
### Findings
| Hit ID | Host / User / Resource | Outcome | Notes |
|--------|------------------------|---------|-------|
### Conclusion
- [Confirmed malicious / All benign / Inconclusive]
- [Confidence level — Low / Medium / High]
### Artifacts produced
- [ ] Detection rule added (link)
- [ ] Coverage gap documented (link)
- [ ] Negative-result documentation filed (link)
### Recommended follow-up
[Anything that needs deeper investigation, escalation, or future hunts]
incident-triage immediately — do not continue hunting and risk tipping the adversarynpx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsAutonomous threat hunting using the PEAK framework (Prepare → Execute → Act). Executes hypothesis-driven, intelligence-driven, and baseline hunts against CrowdStrike NG-SIEM. Produces hunt reports, detection backlogs, and visibility gap reports. Use when proactively hunting for threats, validating detection coverage, or responding to new threat intelligence.
Hunts for Advanced Persistent Threats (APTs) in enterprise environments using hypothesis-driven searches on endpoint telemetry, network logs, and memory artifacts. For threat hunting cycles, UEBA investigations, and TTP validation.
Builds a systematic threat hunt hypothesis framework from threat intelligence, attack patterns, and environmental data. Useful for proactive detection, purple team exercises, and ATT&CK gap analysis.