Threat hunting methodology: framework, techniques, and how to operationalize it with the Vectra AI platform

Modern security teams cannot rely on alerts alone. Attackers dwell in environments for days or weeks before detection tools surface their activity — and the most sophisticated threats are specifically designed to avoid triggering automated rules. A structured threat hunting methodology closes that gap: shifting from reactive alerting to proactive investigation, starting from the assumption that something may already be wrong and systematically searching for evidence.

This guide covers what threat hunting methodology is, how leading security teams structure their hunting programs, and how to apply those frameworks using the Vectra AI Platform across hybrid environments spanning network, identity, cloud, and SaaS infrastructure.

It is written for SOC analysts, detection engineers, and security architects building or maturing a proactive threat hunting practice.

What is a threat hunting methodology?

A threat hunting methodology is a structured approach to proactively searching for threats that have not yet triggered automated alerts. Rather than waiting for a detection rule to fire, hunters start from the assumption that something could already be wrong and search for behavioral evidence. They combine threat intelligence, knowledge of attacker tactics, and familiarity with their own environment to surface activity that does not match expected patterns.

A complete threat hunting methodology defines three things: what to hunt for (the hypothesis), how to hunt for it (the technique), and what to do when something is found (the response workflow).

The three most widely adopted threat hunting methodologies are:

Threat hunting frameworks

A threat hunting framework provides the structural layer that guides how hunts are planned, executed, and repeated. The most widely used frameworks reference MITRE ATT&CK as the taxonomy for attacker techniques, organizing hunts by tactic (what the attacker is trying to achieve) and technique (how they achieve it).

The core components of an operational threat hunting framework are:

• Hypothesis formation — define what attacker behavior you are looking for and why it matters in your environment
• Data source identification — determine which telemetry streams contain the signal you need (network metadata, identity logs, cloud activity, endpoint data)
• Query execution — run structured searches against historical data to find matches
• Pivot and investigation — when a match is found, pivot on the impacted entity to understand scope and timeline
• Response integration — feed confirmed findings back into detection rules, playbooks, or incident response workflows
• Documentation and repeatability — save effective queries, document findings, and schedule recurring hunts

Without a repeatable framework, threat hunting remains ad hoc and produces inconsistent results. With one, it becomes a measurable program that continuously strengthens detection coverage.

Threat hunting best practices

The following best practices are drawn from mature SOC programs and reflect what differentiates high-performing hunting teams from those that struggle to operationalize the practice.

Start with high-confidence hypotheses. The strongest hunts are grounded in specific attacker techniques — not generic searches. Use threat intelligence, recent incident reports, and MITRE ATT&CK to identify techniques relevant to your industry and infrastructure before writing a single query.

Prioritize network metadata. Network metadata shows how systems communicate — not just that they did. Endpoint logs describe isolated events on a single machine. Network data reveals how activity connects across the environment. Teams that hunt primarily from endpoint telemetry miss a significant category of lateral movement, command-and-control, and data exfiltration signals.

Hunt across all three methodology types. TTP-based, compliance-based, and IOC-based hunts each surface different threat categories. A program that only runs one type consistently misses what the other two are designed to find.

Build repeatable query libraries. Save effective queries. Document what each one looks for, what it has historically found, and under what conditions it produces false positives. A growing query library is a direct measure of program maturity.

Integrate findings into detection engineering. Every confirmed threat hunting finding that is not converted into a detection rule is a missed hardening opportunity. The loop between hunting and detection tuning is what makes programs self-improving over time.

Establish behavioral baselines before hunting anomalies. You cannot reliably identify what is abnormal without first understanding what normal looks like. Invest time in baseline documentation before expecting anomaly-based hunts to produce reliable signal.

Time-box hunts. Structured, time-limited hunts with clear objectives outperform open-ended investigations. Most experienced hunters operate in 5–30 minute structured sessions, then triage findings before deciding whether to escalate or pivot.

Threat hunting methodology with the Vectra AI platform

The Vectra AI Platform is purpose-built for advanced threat investigations and hunting at scale. Analysts pivot across AI-enhanced metadata to uncover attacker behaviors, trace activity over time, and correlate signals across identity, cloud, and network layers — all from a single interface.

Coverage domains and metadata streams

Hunt modalities in the Vectra AI platform

TTP-based threat hunting methodology

TTP-based hunting focuses on identifying attacker behaviors rather than relying on static indicators. By targeting specific tactics, techniques, and procedures used during real-world intrusions, security teams can detect threats that often evade signature-based tools.

What TTP-based hunts are designed to surface:

• Early-stage compromise before lateral movement begins
• Credential theft techniques targeting Active Directory and cloud identity
• Authentication abuse patterns across domain controllers and identity providers
• Cloud data access anomalies indicating exfiltration staging
• Evasion techniques using legitimate system tools (living-off-the-land)

The nine TTP-based hunts below are mapped to known attacker techniques and executable directly in the Vectra AI Platform.

TTP-based threat hunting methodology

TTP-based hunting focuses on identifying attacker behaviors rather than relying on static indicators. By targeting specific tactics, techniques, and procedures used during real-world intrusions, security teams can detect threats that often evade signature-based tools.

What TTP-based hunts are designed to surface:

• Early-stage compromise before lateral movement begins
• Credential theft techniques targeting Active Directory and cloud identity
• Authentication abuse patterns across domain controllers and identity providers
• Cloud data access anomalies indicating exfiltration staging
• Evasion techniques using legitimate system tools (living-off-the-land)

The nine TTP-based hunts below are mapped to known attacker techniques and executable directly in the Vectra AI Platform.

1. DPAPI backup key retrieval

What this query finds:

• Attempts to retrieve DPAPI backup keys from domain controllers
• Suspicious access patterns to domain controller resources
• Unusual administrative queries against Active Directory
• Use of known techniques for DPAPI key extraction (Mimikatz, SharpDPAPI, DSInternals)

Hunt logic: Checks network DCE/RPC logs from the last 14 days for events where a system connects to a domain controller using the LSARPC endpoint and performs the lsarretrieveprivatedata operation.

Security implication: DPAPI backup key theft enables an attacker to:

• Decrypt all stored passwords and credentials across the network
• Escalate privileges domain-wide
• Harvest sensitive data at scale
• Maintain long-term persistent control\

SELECT
    timestamp,
    orig_hostname,
    id.orig_h AS "id_orig_h",
    id.resp_h AS "id_resp_h",
    resp_hostname,
    domain,
    username,
    endpoint,
    hostname,
    operation,
    sensor_uid
FROM
    network.dce_rpc
WHERE
    id.orig_h = '10.254.50.142'
    AND LOWER(endpoint) = 'lsarpc'
    AND LOWER(operation) = 'lsarretrieveprivatedata'
    AND timestamp > date_add('day', -14, now())
ORDER BY
    timestamp DESC
LIMIT 100

2. Certutil binary usage

What this query finds:

• certutil.exe used to download files from external websites
• Base64-encoded content being decoded via certutil
• High volumes of HTTP requests from the Microsoft-CryptoAPI/10.0 user agent
• Suspicious download patterns grouped by destination host

Hunt logic: Scans HTTP traffic from the last 14 days for requests with user agent Microsoft-CryptoAPI/10.0, which is generated when certutil downloads files from external sources.

Security implication: Certutil abuse enables attackers to:

• Deliver malware while appearing as normal system activity
• Exfiltrate data through a trusted Windows binary
• Execute obfuscated scripts that bypass standard detection
• Establish persistence or move laterally before detection

SELECT host, COUNT(*) AS request_count
FROM network.http
WHERE user_agent = 'Microsoft-CryptoAPI/10.0' AND timestamp > date_add('day', -14, now())
GROUP BY host
ORDER BY request_count DESC
LIMIT 50

3. Domain controller initiating NTLM authentication

What this query finds:

• Domain controllers initiating outbound NTLM authentication requests (anomalous behavior)
• Source IP addresses matching known domain controller ranges initiating authentication to other systems

Hunt logic: Scans NTLM traffic from the last 14 days for requests with domain controllers as source IP addresses.

Security implication: A domain controller initiating outbound NTLM authentication is a strong indicator of:

• NTLM relay attacks
• Coerced authentication (PetitPotam, PrinterBug)
• Lateral movement from a compromised DC
• Potential domain-wide compromise

SELECT id.orig_h, orig_hostname.name AS hostname, COUNT(*) AS ntlm_request_count
FROM network.ntlm
WHERE (LOWER(orig_hostname.name) LIKE '%dc%' OR TRY_CAST(id.orig_h AS
IPADDRESS) BETWEEN IPADDRESS '10.254.100.0' AND IPADDRESS '10.254.100.255')
AND timestamp > date_add('day', -14, now())
GROUP BY id.orig_h, orig_hostname.name
ORDER BY ntlm_request_count DESC
LIMIT 100

4. Coerced authentications

What this query finds:

‍

Hunt logic: Examines RPC traffic metadata to identify calls to vulnerable Windows protocols using specific operation numbers that correspond to known coercion techniques.

Security implication: Successful coerced authentication enables attackers to:

• Perform NTLM relay attacks without user interaction
• Steal machine account credentials with domain-level privileges
• Execute DCSync attacks and create Golden Tickets
• Achieve full domain compromise

SELECT timestamp, orig_hostname, id.orig_h, id.resp_h, resp_hostname, domain,
username, endpoint, hostname, operation, sensor_uid
FROM network.dce_rpc
WHERE (
  (endpoint = 'unknown-c681d488-d850-11d0-8c52-00c04fd90f7e' AND operation
  IN ('unknown-0', 'unknown-4', 'unknown-5', 'unknown-6', 'unknown-7', 'unknown-12',
  'unknown-13', 'unknown-15')) OR
  (endpoint = 'spoolss' AND operation IN
  ('RpcRemoteFindFirstPrinterChangeNotificationEx')) OR
  (endpoint = 'unknown-a8e0653c-2744-4389-a61d-7373df8b2292' AND operation
  IN ('unknown-8', 'unknown-9')) OR
  (endpoint = 'netdfs' AND operation IN ('NetrDfsAddStdRoot', 'NetrDfsRemoveStdRoot'))
) AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

5. Outgoing SSH on non-standard port

What this query finds:

• Outbound SSH connections on ports other than port 22
• Sessions to external destinations using SSH protocol on ports 2222, 443, 8080, or other non-standard ports
• Systems initiating SSH to destinations where SSH access is not expected

Hunt logic: Examines iSession metadata to identify outbound TCP connections with SSH protocol occurring on ports other than port 22.

Security implication: Outbound SSH on non-standard ports is associated with:

• Covert command and control channels
• Data exfiltration tunnels bypassing firewall rules
• Unauthorized remote access disguised as legitimate web traffic
• Lateral movement via SSH tunneling

SELECT timestamp, uid, id.orig_h, orig_hostname, id.resp_h, resp_hostname,
id.resp_p, proto_name, orig_ip_bytes, resp_ip_bytes, duration, conn_state, sensor_uid, service
FROM network.isession
WHERE LOWER(service) = 'ssh' AND id.resp_p != 22 AND local_resp != true AND
timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

6. Multi-country sign-ins (impossible travel indicator)

What this query finds:

• Users authenticated from more than one country within a 24-hour window
• Sign-ins with confirmed location data only (entries without location data are excluded)

Hunt logic: Groups all successful sign-ins by user over the last 24 hours, counts distinct countries per user, and identifies users appearing in more than one country.

Security implication: Multi-country sign-ins within 24 hours indicate probable credential compromise — rapid international travel is physically impossible for most users. This pattern is characteristic of credential stuffing and account takeover campaigns targeting enterprise identity.

SELECT DISTINCT(vectra.identity_principal), COUNT(DISTINCT location.country_or_region) AS CountryCount,
MIN(timestamp) AS FirstLogin, MAX(timestamp) AS LastLogin
FROM entra.signins._all
WHERE location.country_or_region IS NOT NULL
  AND timestamp > date_add('day', -1, now())
GROUP BY vectra.identity_principal
HAVING COUNT(DISTINCT location.country_or_region) > 1
ORDER BY CountryCount
LIMIT 100

7. Failed login patterns by IP address

What this query finds:

• IP addresses with 20 or more failed authentication attempts within 6 hours
• Total failure count and unique users targeted per IP
• First and last failure timestamps per IP address

Hunt logic: Aggregates failed sign-in attempts by IP address over the last 6 hours, identifying IPs with high failure volumes that indicate automated attack tooling.

Security implication:‍

‍

SELECT ip_address, COUNT(*) AS FailedAttempts,
  COUNT(DISTINCT vectra.identity_principal) AS UniqueUsers,
  MIN(timestamp) AS FirstFailure,
  MAX(timestamp) AS LastFailure
FROM entra.signins."Demolab-AD"
WHERE ip_address IS NOT NULL
  AND timestamp > date_add(hour, -6, now())
  AND status.error_code != 0
GROUP BY ip_address
HAVING COUNT(*) >= 20
ORDER BY FailedAttempts
LIMIT 100

8. Suspicious storage account bulk data access

What this query finds:

• Users or applications performing 100 or more blob or file read operations within 6 hours
• Successful read operations across Azure Blob Storage and Azure File Services
• Grouped by identity and storage resource for easy pivot

Hunt logic: Analyzes Azure activity logs for storage account read operations over the last 6 hours, identifying sources with read counts at or above the bulk-access threshold.

Security implication: Bulk storage read operations indicate:

• Data exfiltration staging — attackers bulk downloading files before transfer
• Compromised accounts being used to steal organizational data at scale
• Cloud data theft targeting intellectual property, credentials, or customer records

SELECT vectra.identity,
  resourceid,
  COUNT(*) AS AccessCount,
  COUNT(DISTINCT ResourceId) AS UniqueStorageAccounts,
  MIN(timestamp) AS FirstAccess,
  MAX(timestamp) AS LastAccess
FROM azurecp.operations._all
WHERE timestamp > date_add(hour, -6, now())
  AND UPPER(operationname) IN ('MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/READ',
  'MICROSOFT.STORAGE/STORAGEACCOUNTS/FILESERVICES/SHARES/FILES/READ')
  AND resulttype = 'Success'
GROUP BY vectra.identity, ResourceId
HAVING COUNT(*) >= 100
ORDER BY AccessCount
LIMIT 100

9. Excessive key vault secret access patterns

What this query finds:

• Sources accessing 20 or more Key Vault secrets in 24 hours
• Sources accessing 10 or more unique secrets — indicating bulk credential collection
• Successful SecretGet, KeyGet, and CertificateGet operations grouped by identity and IP

Hunt logic: Examines Azure activity logs for Key Vault access operations over the last 24 hours, identifying sources that exceed normal application access volumes.

Security implication: Excessive Key Vault access is associated with credential harvesting attacks where compromised identities are used to steal:

• API keys and connection strings for lateral movement
• Certificates for identity impersonation
• Secrets needed for persistent access across the environment

SELECT calleripaddress,
  vectra.identity,
  resourceid,
  operationname,
  COUNT(*) AS SecretAccessCount,
  COUNT(DISTINCT resourceid) AS UniqueSecrets,
  MIN(timestamp) AS FirstAccess,
  MAX(timestamp) AS LastAccess
FROM azurecp.operations._all
WHERE timestamp > date_add('hour', -24, now())
  AND operationname IN ('SecretGet', 'KeyGet', 'CertificateGet')
  AND resulttype = 'Success'
  AND calleripaddress IS NOT NULL
GROUP BY calleripaddress, vectra.identity, resourceid, operationname
HAVING COUNT(*) >= 20 OR COUNT(DISTINCT resourceid) >= 10
ORDER BY SecretAccessCount
LIMIT 100

Compliance-based threat hunting methodology

Compliance-based hunting targets violations of security policies, access controls, or architectural boundaries defined by regulatory or internal standards. This approach surfaces risky behavior that may not be outright malicious but could signal misconfigurations, insider threats, or enforcement gaps — often before they become audit findings or breach vectors.

What compliance-based hunts are designed to surface:

• Legacy protocols still active in the environment (SMBv1, unencrypted services)
• Tunneling attempts bypassing network security controls
• Unpatched or outdated client software creating exploitable attack surface
• Unsanctioned AI service adoption introducing data exposure risk

1. Usage of SMBv1

What this query finds:

• All systems actively using SMBv1 protocol in the last 14 days
• Client connections, server shares, and inter-system communications using SMBv1
• Legacy applications, older Windows systems, NAS devices, and third-party software relying on this outdated protocol

Hunt logic: Scans network SMB activity over the past 14 days, listing distinct source hosts using SMBv1.

Security implication: SMBv1 usage creates risk across three dimensions:

‍

SELECT DISTINCT id.orig_h, orig_hostname.name
FROM network.smb_mapping._all
WHERE version = 'SMBv1' AND timestamp > date_add('day', -14, now())

2. Usage of HTTP CONNECT on uncommon TCP ports

What this query finds:

• HTTP CONNECT method requests to ports other than 80, 443, 8080, or 8443
• Potential tunneling attempts and proxy abuse
• Unauthorized outbound connections on non-standard ports
• Malware attempting to reach external servers through ports that bypass standard web filtering

Hunt logic: Searches HTTP logs for proxied CONNECT methods that do not use standard HTTPS (port 443). Vectra AI's deep packet service inspection identifies HTTP traffic regardless of port number, making this hunt effective even against port-evasion techniques.

Security implication: HTTP CONNECT on uncommon ports indicates:

• Attempts to bypass network security controls
• Covert channel establishment
• Data exfiltration through non-standard ports
• Malware C2 traffic disguised as web traffic

SELECT timestamp, id.orig_h, orig_hostname, user_agent, id.resp_h, resp_hostname,
id.resp_p, method, host, uri, status_code
FROM network.http
WHERE is_proxied = true AND LOWER(method) = 'connect' AND uri NOT LIKE '%:443'
AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

3. Out-of-date browser detection

What this query finds:

‍

Hunt logic: Detects HTTP user-agent strings indicating usage of outdated web browsers. Persistent use across multiple days highlights systems that are unpatched and at elevated exploitation risk.

Security implication: Outdated browsers are commonly exploited via:

• Drive-by downloads from compromised or malicious websites
• Phishing pages targeting known browser vulnerabilities
• Malicious web content that targets documented, unpatched CVEs

Persistent outdated browser usage often indicates broader endpoint hygiene gaps and may represent a compliance violation against endpoint hardening policies.

SELECT id.orig_h, orig_hostname.name AS hostname, user_agent, COUNT(*) AS request_count
FROM network.http._all
WHERE timestamp BETWEEN date_add('day', -14, now()) AND now()
AND ( user_agent LIKE '%MSIE%'
OR user_agent LIKE '%Firefox/[3-6]%'
OR user_agent LIKE '%Chrome/[1-9]%'
OR user_agent LIKE '%Chrome/[1-4][0-9]%'
OR user_agent LIKE '%Version/(1[0-6](\.\d+)*)\s+Safari%' )
GROUP BY id.orig_h, orig_hostname.name, user_agent
ORDER BY request_count DESC
LIMIT 100

4. AI service usage — interactions with generative AI platforms

What this query finds:

‍

Hunt logic: Searches DNS metadata for outbound queries to known generative AI platform domains, surfacing hosts, request volumes, and usage patterns.

Security implication: Unsanctioned AI adoption introduces three categories of risk:

• Data exposure — users pasting sensitive code, credentials, or internal documents into prompts
• Compliance violations — unauthorized data handling in regulated environments (HIPAA, GDPR, PCI-DSS)
• Shadow IT — AI usage bypassing established security controls and data governance policies

SELECT query, COUNT(DISTINCT orig_hostname.name) as unique_host_count,
COUNT(*) as total_query_count
FROM network.dns
WHERE ( query LIKE '%openai.com'
OR query LIKE '%chat.openai.com'
OR query LIKE '%anthropic.com'
OR query LIKE '%claude.ai'
OR query LIKE '%bard.google.com'
OR query LIKE '%bing.com'
OR query LIKE '%cohere.ai'
OR query LIKE '%huggingface.co'
OR query LIKE '%mistral.ai'
OR query LIKE '%deepseek.com%' )
AND timestamp BETWEEN date_add('day', -14, now()) AND now()
GROUP BY query
ORDER BY unique_host_count DESC, total_query_count DESC
LIMIT 100

IOC-based threat hunting methodology

IOC-based threat hunting validates potential exposures, uncovers attacker infrastructure reuse, and catches threats that may have bypassed initial defenses. It is especially effective for responding to threat intelligence advisories or public disclosures of active campaigns.

What are indicators of compromise (IOCs)?

IOCs are artifacts that hint at attacker activity when placed in context. They do not typically generate detections on their own — they require active investigation to confirm whether a match represents a true compromise.

Where security teams source IOCs

IOC hunting workflow in the Vectra AI platform

Once you have an IOC or a set of them, the investigation workflow follows four steps:

1. Search — search for the domain, IP, or hash across historical metadata and detections
2. Pivot — identify which host or user interacted with the IOC
3. Investigate timelines — determine when the IOC was first seen and whether it has reappeared
4. Check surrounding activity — look for follow-on behaviors including privilege escalation, lateral movement, or unusual data access patterns

Tip: Even if an IOC is stale or generic, it may still help surface long-dwelling threats or confirm containment after an incident.

Example workflow: A CISA advisory is published with indicators tied to a known APT campaign. You extract two domains, one IP, and a PowerShell hash. In the Vectra AI Platform, you search for one of the domains in HTTP metadata and spot activity three weeks ago. The destination host is a finance system. You pivot into Investigate and see related detections: "Abnormal Scripting Activity" and "Suspicious Lateral Movement." You now have high-confidence evidence to escalate and contain.

1. Malicious domains — command and control / phishing infrastructure

What this query finds:

• Outbound sessions to known-bad domains
• Potential C2 callbacks, beaconing activity, or user interaction with phishing lures

Hunt logic: Searches for network sessions in the last 14 days where the destination domain matches a list of known-bad domains.

Security implication: Connections to attacker-controlled domains can indicate:

• Active C2 communication or beaconing
• Payload download staging
• User interaction with phishing lures (commonly seen with infostealers such as LummaC2 or initial access brokers like Scattered Spider)

SELECT timestamp, uid, id.orig_h as "id_orig_h", orig_hostname, id.resp_h as "id_resp_h",
resp_hostname, id.resp_p as "id_resp_p", proto_name, orig_ip_bytes,
resp_ip_bytes, duration, conn_state, sensor_uid
FROM network.isession
WHERE (resp_domain = 'baddomain1.com' OR resp_domain = 'baddomain2.com')
AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

2. Known malicious IPs — infrastructure reuse or exfiltration

What this query finds:

• Connections to or from blacklisted IP addresses in the last 14 days
• Full session details including source, destination, protocol, and duration for each matching connection

Hunt logic: Searches for all network sessions involving specific IP addresses as either source or destination.

Security implication: IP-based IOCs are frequently reused across multiple threat actor campaigns. Matches may indicate:

• Malware callback to known attacker infrastructure
• Direct data exfiltration in progress
• Ongoing compromise using previously identified infrastructure

SELECT timestamp, uid, id.orig_h as "id_orig_h", orig_hostname, id.resp_h as "id_resp_h",
resp_hostname, id.resp_p as "id_resp_p", proto_name, orig_ip_bytes, resp_ip_bytes,
duration, conn_state, sensor_uid
FROM network.isession
WHERE (id.resp_h IN ('192.0.2.1', '192.0.2.2') OR id.orig_h IN ('192.0.2.1', '192.0.2.2'))
AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

3. Suspicious file names — malicious payload staging

What this query finds:

• Files transferred over SMB with base filenames longer than 50 characters
• Patterns associated with automated malware delivery and data obfuscation

Hunt logic: Scans SMB file activity from the past 14 days, extracting and listing files with unusually long base filenames.

Security implication: Excessively long or obfuscated file names signal:

• Automated malware drops or script-based payload delivery
• Ransomware staging patterns
• Loader campaign tooling being positioned for execution

SELECT name, REGEXP_EXTRACT(name, '([^\\/]+)$') AS base_filename,
LENGTH(REGEXP_EXTRACT(name, '([^\\/]+)$')) AS base_length
FROM network.smb_files
WHERE LENGTH(REGEXP_EXTRACT(name, '([^\\/]+)$')) > 50 AND timestamp > date_add('day', -14, now())
ORDER BY base_length DESC
LIMIT 50

4. Files without vowels — obfuscated or auto-generated malware

What this query finds:

• SMB file names containing zero vowels in the base filename
• Patterns associated with programmatically generated malware file names

Hunt logic: Extracts filenames containing no vowels (only consonants or symbols) from SMB file activity in the last 14 days.

Security implication: Vowel-free file names indicate programmatic generation — a common evasion technique used by malware builders to avoid signature-based detection. Undetected, these payloads increase attacker dwell time and attack impact.

SELECT name, REGEXP_EXTRACT(name, r'([^\\/]+)$') AS base_filename
FROM network.smb_files
WHERE REGEXP_LIKE(REGEXP_EXTRACT(name, r'([^\\/]+)$'), '^[^aeiouAEIOU]+$') AND
timestamp > date_add('day', -14, now())
LIMIT 50

5. Suspicious file paths — lateral movement or staging

What this query finds:

• Files accessed or modified in /App/Data/Roaming/ paths
• File operations in directories commonly used by malware and post-exploitation tooling as staging or persistence locations

Hunt logic: Searches SMB file activity from the last 14 days for files accessed in AppData/Roaming paths. The query can be modified to monitor any file paths of concern in your specific environment.

Security implication: AppData/Roaming directories are specifically targeted by malware and attacker tools because:

• They receive less operational scrutiny than system directories
• They are writable by standard user accounts without elevation
• Tools can operate from these locations indefinitely without triggering common file integrity monitoring rules

SELECT timestamp, uid, id.orig_h as "id_orig_h", orig_hostname, id.resp_h as "id_resp_h",
resp_hostname, id.resp_p as "id_resp_p", version, path, action, name, sensor_uid
FROM network.smb_files
WHERE path LIKE '%/App/Data/Roaming/%' AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

6. JA3 fingerprint — TOR or unusual TLS clients

What this query finds:

• TLS connections using the JA3 fingerprint linked to TOR clients
• Systems running TOR browsers or TOR-based applications in the enterprise environment

Hunt logic: Pulls SSL/TLS session logs from the last 14 days, filtering for a specific JA3 hash known to match TOR clients.

Security implication: TOR usage in an enterprise environment can indicate:

‍

For further reference: JA3 methodology documentation is available at https://github.com/salesforce/ja3. Community-curated JA3 fingerprints are available at https://ja3.zone/.

SELECT timestamp, uid, id.orig_h as "id_orig_h", orig_hostname, id.resp_h as "id_resp_h",
resp_hostname, id.resp_p as "id_resp_p", server_name, client_version,
next_protocol, cipher, ja3, established, sensor_uid
FROM network.ssl
WHERE ja3 = 'e7d705a3286e19ea42f587b344ee6865' AND timestamp > date_add('day', -14, now())
ORDER BY timestamp DESC
LIMIT 100

Building a repeatable threat hunting practice with Vectra AI

Threat hunting delivers the most value when it is operationalized, embedded as a regular practice rather than a reactive, one-time exercise. The queries in this guide are starting points. The goal is to adapt them to your environment, save the most effective variants, and build them into structured hunting cadences.

How to operationalize hunting with the Vectra AI Platform:

• Use 5-minute hunts for fast, regular sweeps on high-value TTP and compliance checks
• Use saved searches to build a library of environment-specific queries
• Use AI-assisted search to accelerate investigation pivots and surface recommended next steps in plain language
• Contribute new queries and access the broader community through the Vectra AI Threat Hunting GitHub

Familiarity built through consistent hunting is an operational multiplier during incident response, teams that hunt regularly investigate faster, triage more accurately, and contain threats before they escalate.