🔄 This post was originally published on Medium—crossposting here for the THOR Collective crew. Enjoy!

Alright we’re going to try something new…a workshop delivered as blog posts. Intrigued? Stick around. If nothing else, you’ll leave with some top-tier thrunting memes to share with your team.

Last November, Lauren Proehl and I, representing THOR Collective, had the privilege of presenting our Threat Hunting (or ‘thrunting’ as I like to call it — cringe or not) workshop at the prestigious DEATHCON. And yes, we’re keeping the word ‘thrunting’ because it’s too good to give up. Major shoutout to Randy Pargman for helping make it such a memorable event!

What we’ve got here is a series of blog posts breaking down the workshop, packed with plenty of insights and practical tips. These posts are your go-to resources for learning opportunities you can bring back to your organization, apply in real-world scenarios, and level up your thrunting game! 🙌

What’s on the menu? We’re diving deep into the PEAK Threat Hunting Framework to make THRUNTing practical and actionable. PEAK is a vendor AND tool agnostic product you can use for structured threat hunting. 🤘, right? PEAK stands for “Prepare, Execute, and Act with Knowledge,” breaking the hunt into three core stages we’ll explore in this series. And don’t forget, knowledge is the key component, woven throughout all three stages of the hunt.

By the end, you’ll be ready to apply hypothesis-driven, baseline (exploratory), and model-assisted hunting techniques, complete with Splunk examples to guide you. Let’s get started!

P.S. No Splunk? No problem! These techniques are adaptable to other tools, so you can work with the resources and data sources already at your fingertips.

Ready to embark on this thrunting journey? Let’s get after it! 🎯

Workshop Overview 🕵️‍♀️🔍

In this series, we’ll walk you through our Practical Threat Hunting with the PEAK Framework workshop, originally delivered at DEATHCON. Here’s what you can expect:

1. Hypothesis-Driven Threat Hunting
   Learn how to craft and test hypotheses to uncover potential threats in your environment. For example, starting with the idea of data exfiltration and searching for unusual outbound data traffic.

2. Baseline (Exploratory) Threat Hunting
   Establish what ‘normal’ looks like in your data and find deviations that might indicate malicious activity. Think unusual login times or unexpected command-line executions.

3. Model-Assisted Threat Hunting (M-ATH)
   Harness the power of machine learning 💪 to analyze large datasets, find anomalies, and group similar events. Techniques like clustering and supervised learning make it possible to uncover patterns humans might miss.

Tools of the Trade 🛠️

This workshop uses Splunk and a BOTS dataset, a treasure trove of simulated real-world attack data designed to mimic scenarios like ransomware attacks, insider threats, and more. While we won’t be providing the exact dataset for you to follow along, we’ll guide you through the thought process and techniques so you can apply them to your own environments.

• Stack Counting: Grouping events to identify unusual activity levels.

• Outlier Detection: Finding anomalies by setting baselines.

• Time Series Analysis: Spotting trends or irregularities over time.

• Field Extraction and Search Filtering: Narrowing down large datasets to focus on what matters.

🚨 Important Note 🚨 : The exact dataset we’re using isn’t publicly available. However, you can explore and hunt through previous BOTS datasets, like BOTSv3, which offer a wealth of real-world-like data for honing your skills.

Why Read This Series? 💡

Threat hunting isn’t a one-size-fits-all practice — it’s a mindset. This series will give you actionable strategies, practical examples, and new ideas to enrich your security operations. Whether you’re a seasoned hunter or just getting started, there’s something here for everyone.

What’s Next? 🔮

Before diving deeper into advanced scenarios, it’s essential to build a strong foundation. In the next blog post, we’ll guide you through exploring your data sources, focusing on data sourcetypes and fields to understand the structure of your dataset. This step will help you get an idea of what ‘normal’ looks like in your environment, setting the stage for effective searches and analyses. With these fundamentals in place, you’ll be ready to uncover anomalies and apply the concepts learned in more complex hunts.

Ready to take the next step? Stay tuned for Part 2: Exploring Data Sources— coming soon!

Hidden Gems 💎

For those who made it this for 🎉, here’s a little something extra:

🕵️‍♂️ Challenge
Somewhere in this post lies a Base64-encoded secret. Can you find it and decode it? Only the most observant thrunters will uncover its meaning!

(Hint: It’s tucked away where only a true hunter would look…)

And as always, happy thrunting!