Skip to content

Module 11 — Threat Hunting: Endpoint

Type 6 · Reconstruct — run a hypothesis-driven hunt across real endpoint data with Velociraptor/osquery and either find the activity or rule it out; you commit the hunt notebook and the detection it turns into. (Secondary: Build-&-Operate — closing the hunt→detection loop into something that keeps running.) Go to the hands-on lab →

Last reviewed: 2026-06

Defensive Operationsdon't wait for an alert — go looking for what your detections missed.

Difficulty: Intermediate  ·  Estimated time: ~5–7 hrs (study + lab)  ·  Prerequisites: Foundations

In 60 seconds

Detection waits for known-bad; hunting goes looking. Threat hunting assumes a breach already happened and asks, "if an attacker were here, what would I see?" — then interrogates endpoint data to confirm or refute a specific, testable hypothesis. The organising principle is the Pyramid of Pain: hunt behaviours (expensive to change), not atomic indicators (trivial to change). Velociraptor and osquery make this an enterprise-scale activity. The payoff loop: a successful hunt becomes a detection, so you only hunt that thing by hand once.

Why this matters

Detections catch the known; hunting finds the unknown. Threat hunting is hypothesis-driven: you assume a breach, form a testable idea ("an attacker would persist via a Run key"), and go look across your endpoint data. It's how teams find the dwell-time attacker that slipped past every rule — and Velociraptor makes enterprise-scale endpoint hunting free.

Objective

Run a hypothesis-driven hunt across real endpoint data with Velociraptor/osquery, and either find the activity or rule it out.

The core idea

Detection and hunting are opposite stances. Detection waits — it encodes known-bad and fires when it appears. Hunting goes looking — it assumes a breach already happened and asks, "if an attacker were here, what would I see, and is it there?" That flip from reactive to proactive is the whole discipline: you're hunting precisely the thing your rules didn't have a signature for. And it's hypothesis-driven — you form a specific, testable idea ("an attacker would persist via a Run key," "they'd do discovery with built-in tools") and then interrogate your endpoint data to confirm or refute it. A hunt that ends in "ruled out" is a result, not a failure.

flowchart LR
    H["hypothesis<br/>('attacker persists<br/>via a Run key')"] --> Q["query endpoint data<br/>(VQL / osquery)"]
    Q --> R{confirm<br/>or refute?}
    R -->|refuted| RO["ruled out<br/>(a result)"]
    R -->|confirmed| IR["investigate /<br/>respond"]
    IR --> DET["codify as a detection"]
    DET -.->|hunt it by hand once| H

The mental model

The organising principle is the Pyramid of Pain: hunt behaviours, not atomic indicators. A hash or IP is trivial for an attacker to change (bottom of the pyramid); their techniques cost real effort to alter (top). So "any Office app spawning a script interpreter" outlives any single hash — hunt the TTP, not the IOC. Velociraptor and osquery let you ask that question across thousands of endpoints at once (host-as-database, VQL/SQL), which is what makes hunting an enterprise activity rather than a one-box exercise.

The gotcha

Hunting is judgment under ambiguity, and there is no rule firing to tell you when you're done. A pattern that's just normal-for-you will look suspicious until you confirm it against the data — so treat every hypothesis as something to refute, and remember a hunt that ends in "ruled out" is a result, not a failure.

Go deeper: make hunting compound

The move that makes hunting pay off over time: a successful hunt becomes a new detection (module 08), so you only ever have to hunt that thing by hand once. Otherwise you re-discover the same behaviour every quarter; codify it and your detection coverage grows with every hunt.

AI caveat

A model is great for generating hunt hypotheses and drafting VQL/osquery — but a model will happily "confirm" a pattern that's just normal-for-you. Treat its leads as hypotheses to test against the data, never conclusions.

Learn (~4 hrs)

The method & the tool - Hunt for Hackers with Velociraptor (video) — endpoint hunting with the OSS platform. - Velociraptor documentation — VQL, artifacts, and hunts; read "Getting Started."

Method - The ThreatHunting Project — hunting methodology and concrete hunt ideas.

Key concepts

  • Hypothesis-driven hunting (assume breach)
  • Endpoint hunt data: processes, persistence, auth, file
  • VQL / osquery for hunting at scale
  • The Pyramid of Pain (hunt for behaviours, not just IOCs)
  • Turning a successful hunt into a detection

AI acceleration

A model is great for generating hunt hypotheses and drafting VQL/osquery — but hunting is judgment under ambiguity, and the model will happily "confirm" a pattern that's just normal-for-you. Treat its leads as hypotheses to test against the data, never conclusions.

Check yourself

  • In one sentence, how does hunting differ from detection in stance?
  • Why is a hunt that ends in "ruled out" a success rather than a wasted afternoon?
  • Using the Pyramid of Pain, why is "any Office app spawning a script interpreter" a better hunt than a list of malicious hashes?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).