Hunting Advanced Persistent Threats

When to Use

Use this skill when:

Conducting proactive threat hunting sprints (typically 2–4 week cycles) based on newly published APT intelligence
A UEBA alert or anomaly detection system flags behavioral deviations warranting deeper investigation
A peer organization or ISAC sharing partner reports active APT compromise and you need to validate your own exposure

Do not use this skill as a substitute for incident response when a confirmed breach is in progress — escalate to IR procedures (NIST SP 800-61).

Prerequisites

EDR platform with telemetry retention (CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne) covering 30+ days
Access to MITRE ATT&CK Navigator for hypothesis development
Network flow data (NetFlow, Zeek, or Suricata logs) in a queryable SIEM
Threat hunting platform or query interface (Velociraptor, osquery fleet, or Splunk ES)

Workflow

Step 1: Develop Hunt Hypothesis

Select a threat actor relevant to your sector using MITRE ATT&CK Groups (https://attack.mitre.org/groups/). Review the group's known TTPs mapped to ATT&CK techniques. Example hypothesis: "APT29 (Cozy Bear) uses spearphishing with ISO attachments (T1566.001) and living-off-the-land binaries (T1218) — test for unusual mshta.exe and rundll32.exe parent-child relationships."

Document hypothesis using the Threat Hunting Loop framework: hypothesis → data collection → pattern analysis → response.

Step 2: Identify Required Data Sources

Map each ATT&CK technique to required log sources using the ATT&CK Data Sources taxonomy:

Process creation (T1059): Windows Security Event 4688 or Sysmon Event ID 1
Network connections (T1071): Zeek conn.log, NetFlow, EDR network telemetry
Registry modifications (T1547): Sysmon Event ID 13, Windows Security 4657
Memory injection (T1055): EDR memory scan telemetry, Volatility output

Verify log coverage using ATT&CK Coverage Calculator or a custom data source matrix.

Step 3: Execute Hunts with Velociraptor or osquery

Velociraptor VQL hunt for unusual PowerShell execution:

SELECT Pid, Ppid, Name, CommandLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
AND CommandLine =~ "-enc|-nop|-w hidden"

osquery for persistence via scheduled tasks:

SELECT name, action, enabled, path
FROM scheduled_tasks
WHERE action NOT LIKE '%System32%'
AND enabled = 1;

Splunk SPL for lateral movement via PsExec:

index=windows EventCode=7045 ServiceFileName="*PSEXESVC*"
| stats count by ComputerName, ServiceName, ServiceFileName

Step 4: Analyze Results and Pivot

For each anomaly identified, pivot across dimensions:

Temporal: Did this occur before or after known IOC timestamps?
Host: How many endpoints exhibit this behavior?
User: Is the associated account a service account, privileged user, or regular user?
Network: Does the host communicate with external IPs not in baseline?

Apply the Diamond Model (adversary, capability, infrastructure, victim) to structure findings.

Step 5: Document and Operationalize Findings

If hunting reveals confirmed malicious activity, activate IR procedures. If hunting reveals a gap (hunt found nothing but data coverage was insufficient), document the coverage gap and remediate.

Convert successful hunt queries into SIEM detection rules using Sigma format for portability across platforms.

Key Concepts

Term	Definition
TTP	Tactics, Techniques, and Procedures — adversary behavioral patterns as defined in MITRE ATT&CK
Diamond Model	Analytical framework with four vertices (adversary, capability, infrastructure, victim) used to structure intrusion analysis
Living-off-the-Land (LotL)	Attacker technique using legitimate OS tools (PowerShell, WMI, certutil) to evade detection
UEBA	User and Entity Behavior Analytics — ML-based detection of anomalous behavior baselines
Sigma	Open standard for SIEM-agnostic detection rule format, analogous to YARA for network/log detection
Hunt Hypothesis	A testable prediction about adversary presence based on threat intelligence and environmental knowledge

Tools & Systems

Velociraptor: Open-source DFIR platform with VQL query language for scalable endpoint hunting across thousands of systems
osquery: SQL-based OS instrumentation framework for real-time endpoint telemetry queries
MITRE ATT&CK Navigator: Web-based tool for visualizing ATT&CK coverage and technique prioritization
Zeek (formerly Bro): Network traffic analyzer producing structured logs (conn, dns, http, ssl) suitable for hunting
Elastic Security: EQL (Event Query Language) enables sequence-based hunting for multi-stage attack patterns
Sigma: Detection rule format with translators for Splunk, QRadar, Sentinel, and Elastic

Common Pitfalls

Confirmation bias: Starting a hunt expecting to find something and interpreting benign data as malicious. Document null results — they validate controls.
Insufficient data retention: Many APT techniques require 90+ days of log history to identify slow-and-low patterns. Default retention periods are often too short.
Hunting without baselines: Cannot identify anomalies without knowing normal. Spend time on baseline documentation before hunting.
Query performance impact: Broad queries against production SIEM during business hours can degrade analyst workflows. Schedule intensive hunts during off-peak hours.
Ignoring false positives systematically: Track false positive rates per query. Queries with >80% FP rate should be refined or retired before operationalization.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add hunting-advanced-persistent-threats

# Or load dynamically via MCP
grc.load_skill("hunting-advanced-persistent-threats")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Hunting Advanced Persistent Threats

When to Use

Use this skill when:

Conducting proactive threat hunting sprints (typically 2–4 week cycles) based on newly published APT intelligence
A UEBA alert or anomaly detection system flags behavioral deviations warranting deeper investigation
A peer organization or ISAC sharing partner reports active APT compromise and you need to validate your own exposure

Do not use this skill as a substitute for incident response when a confirmed breach is in progress — escalate to IR procedures (NIST SP 800-61).

Prerequisites

EDR platform with telemetry retention (CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne) covering 30+ days
Access to MITRE ATT&CK Navigator for hypothesis development
Network flow data (NetFlow, Zeek, or Suricata logs) in a queryable SIEM
Threat hunting platform or query interface (Velociraptor, osquery fleet, or Splunk ES)

Workflow

Step 1: Develop Hunt Hypothesis

Document hypothesis using the Threat Hunting Loop framework: hypothesis → data collection → pattern analysis → response.

Step 2: Identify Required Data Sources

Map each ATT&CK technique to required log sources using the ATT&CK Data Sources taxonomy:

Process creation (T1059): Windows Security Event 4688 or Sysmon Event ID 1
Network connections (T1071): Zeek conn.log, NetFlow, EDR network telemetry
Registry modifications (T1547): Sysmon Event ID 13, Windows Security 4657
Memory injection (T1055): EDR memory scan telemetry, Volatility output

Verify log coverage using ATT&CK Coverage Calculator or a custom data source matrix.

Step 3: Execute Hunts with Velociraptor or osquery

Velociraptor VQL hunt for unusual PowerShell execution:

SELECT Pid, Ppid, Name, CommandLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
AND CommandLine =~ "-enc|-nop|-w hidden"

osquery for persistence via scheduled tasks:

SELECT name, action, enabled, path
FROM scheduled_tasks
WHERE action NOT LIKE '%System32%'
AND enabled = 1;

Splunk SPL for lateral movement via PsExec:

index=windows EventCode=7045 ServiceFileName="*PSEXESVC*"
| stats count by ComputerName, ServiceName, ServiceFileName

Step 4: Analyze Results and Pivot

For each anomaly identified, pivot across dimensions:

Temporal: Did this occur before or after known IOC timestamps?
Host: How many endpoints exhibit this behavior?
User: Is the associated account a service account, privileged user, or regular user?
Network: Does the host communicate with external IPs not in baseline?

Apply the Diamond Model (adversary, capability, infrastructure, victim) to structure findings.

Step 5: Document and Operationalize Findings

If hunting reveals confirmed malicious activity, activate IR procedures. If hunting reveals a gap (hunt found nothing but data coverage was insufficient), document the coverage gap and remediate.

Convert successful hunt queries into SIEM detection rules using Sigma format for portability across platforms.

Key Concepts

Term	Definition
TTP	Tactics, Techniques, and Procedures — adversary behavioral patterns as defined in MITRE ATT&CK
Diamond Model	Analytical framework with four vertices (adversary, capability, infrastructure, victim) used to structure intrusion analysis
Living-off-the-Land (LotL)	Attacker technique using legitimate OS tools (PowerShell, WMI, certutil) to evade detection
UEBA	User and Entity Behavior Analytics — ML-based detection of anomalous behavior baselines
Sigma	Open standard for SIEM-agnostic detection rule format, analogous to YARA for network/log detection
Hunt Hypothesis	A testable prediction about adversary presence based on threat intelligence and environmental knowledge

Tools & Systems

Velociraptor: Open-source DFIR platform with VQL query language for scalable endpoint hunting across thousands of systems
osquery: SQL-based OS instrumentation framework for real-time endpoint telemetry queries
MITRE ATT&CK Navigator: Web-based tool for visualizing ATT&CK coverage and technique prioritization
Zeek (formerly Bro): Network traffic analyzer producing structured logs (conn, dns, http, ssl) suitable for hunting
Elastic Security: EQL (Event Query Language) enables sequence-based hunting for multi-stage attack patterns
Sigma: Detection rule format with translators for Splunk, QRadar, Sentinel, and Elastic

Common Pitfalls

Confirmation bias: Starting a hunt expecting to find something and interpreting benign data as malicious. Document null results — they validate controls.
Insufficient data retention: Many APT techniques require 90+ days of log history to identify slow-and-low patterns. Default retention periods are often too short.
Hunting without baselines: Cannot identify anomalies without knowing normal. Spend time on baseline documentation before hunting.
Query performance impact: Broad queries against production SIEM during business hours can degrade analyst workflows. Schedule intensive hunts during off-peak hours.
Ignoring false positives systematically: Track false positive rates per query. Queries with >80% FP rate should be refined or retired before operationalization.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add hunting-advanced-persistent-threats

# Or load dynamically via MCP
grc.load_skill("hunting-advanced-persistent-threats")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

MITRE ATT&CK Coverage

Hunting Advanced Persistent Threats

When to Use

Prerequisites

Workflow

Step 1: Develop Hunt Hypothesis

Step 2: Identify Required Data Sources

Step 3: Execute Hunts with Velociraptor or osquery

Step 4: Analyze Results and Pivot

Step 5: Document and Operationalize Findings

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Mapping MITRE ATT&CK Techniques

Profiling Threat Actor Groups

Analyzing Cyber Kill Chain

Analyzing Indicators of Compromise

Analyzing PowerShell Empire Artifacts

Analyzing Threat Intelligence Feeds

Prerequisites

MITRE ATT&CK Coverage

Hunting Advanced Persistent Threats

When to Use

Prerequisites

Workflow

Step 1: Develop Hunt Hypothesis

Step 2: Identify Required Data Sources

Step 3: Execute Hunts with Velociraptor or osquery

Step 4: Analyze Results and Pivot

Step 5: Document and Operationalize Findings

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Mapping MITRE ATT&CK Techniques

Profiling Threat Actor Groups

Analyzing Cyber Kill Chain

Analyzing Indicators of Compromise

Analyzing PowerShell Empire Artifacts

Analyzing Threat Intelligence Feeds