threat-hunt

Threat Hunt Skill (Index)

Index skill for systematic threat hunting. Detailed knowledge lives in focused sub-skills. Skill root: ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/

Environment

Read config from ~/.claude/.env: VT_API_KEY, ES_URL (default http://localhost:9200), ES_INDEX_PREFIX.

Evidence Ingestion

Format	Script	Index Suffix
Windows EVTX	scripts/ingest_evtx.py	-winevt
Linux syslog	scripts/ingest_syslog.py	-syslog
Connection logs	scripts/ingest_connections.py	-connections
Bash history	scripts/ingest_bash_history.py	-bash-history
Windows Registry	scripts/ingest_registry.py	-registry
Linux Full Visibility	../linux-threat-hunt/scripts/ingest_linux_full_visibility.py	linux-evidence-*
Windows Full Visibility	../windows-threat-hunt/scripts/ingest_windows_full_visibility.py	windows-evidence-*

Prerequisites: Elasticsearch 9.x, evtx_dump (Rust), Python 3.10+ with uv.

Elasticsearch Hunting

Hunt queries by MITRE ATT&CK: C2 (TA0011), Lateral Movement (TA0008), Persistence (TA0003), Defense Evasion (TA0005), Credential Access (TA0006), Exfiltration (TA0010), Registry (TA0003/TA0005).

Pre-built CLI: uv run ${CLAUDE_PLUGIN_ROOT}/skills/threat-hunt/scripts/hunt.py --list

VirusTotal Enrichment

Uses vt-py SDK. Batch IOCs with 2s intervals. Assess as MALICIOUS / SUSPICIOUS / CLEAN / UNKNOWN.

Linked Skills

Resource	Purpose
es-evidence-ingest	Forensic evidence ingestion into ES
linux-threat-hunt	Linux full-visibility ingest + 5-layer validation
windows-threat-hunt	Windows full-visibility ingest + 5-layer validation
elk-stack-queries	EQL, ES|QL, KQL, DSL reference
gti-virustotal-api	Complete vt-py SDK reference
hunt-report	Report generation, delegation, template

Example Finding (shape a hunt report should produce)

**Finding**: T1055 Process Injection — Suspected Cobalt Strike beacon injection into `svchost.exe` on `SRV-DC01` at 2026-03-14T09:42:17Z.

Evidence (5-layer validated):

1. Sysmon event 10 (ProcessAccess): powershell.exe → svchost.exe with access mask 0x1FFFFF (PROCESS_ALL_ACCESS) from process id 4827.
2. Sysmon event 8 (CreateRemoteThread): powershell.exe created thread in svchost.exe (pid 812); start address does not match loaded module.
3. ETW-TI: NtMapViewOfSection call from powershell.exe to svchost.exe with PAGE_EXECUTE_READWRITE protection (classic shellcode injection).
4. Network: post-injection, svchost.exe (pid 812) beacons to 185.243.115.84:443 every 60s ± 5s jitter — C2 signature consistent with Cobalt Strike default Malleable C2 profile.
5. VT enrichment: IP 185.243.115.84 → malicious (48/90 engines), tagged Cobalt Strike, APT by threat-intel feeds.

MITRE mapping: T1055.012 (Process Hollowing-adjacent), T1071.001 (Web C2).

Suggested detection: Sigma rule matching Sysmon eid 10 + eid 8 + outbound 443 to non-whitelisted IPs within 30s of CreateRemoteThread.

Recommendation: isolate SRV-DC01, preserve memory image for Volatility analysis, hunt for same C2 IP across all endpoints.

Core Principles

1. Start with a hypothesis — unfocused hunting returns a million events and zero conclusions. Hypothesis-driven hunts scope ES queries and cut time-to-finding by 10x.
2. avoid skip evidence preservation — raw artifacts (EVTX, memory images, PCAP) enable re-analysis when IR escalates. Discarded evidence is evidence the defense team can't rebuild.
3. Correlate across data sources — single-source hunts miss lateral movement that shows up as "normal" on each box individually. Correlating Sysmon + network + auth logs surfaces the pivot.
4. avoid declare findings without validation — the 5-layer gate (artifact → telemetry → correlation → enrichment → attribution) prevents the false positives that burn IR cycles and erode the team's credibility.
5. Produce actionable output — detection rules (Sigma/YARA) and IOCs (IPs/hashes/domains) from every finding. A hunt that doesn't become a permanent detection is a hunt that will find the same thing next month.

Reference

See reference.md for: ingestion commands and process, index conventions, MITRE hunt query details, ES query examples, VT API code, agent delegation patterns, composable report sections, finding verbosity standard, threat intel store, and additional resources.