The Threat Hunts in Our Stars
Twelve signs. Twelve threat patterns. One cosmic thrunt shift.
Tell me your sign, and I’ll tell you your threat hunt — for the goths, the gays, and the guys who secretly love the stars.
♈ Aries (Mar 21 – Apr 19)
💥 Hypothesis:
An attacker is attempting to brute-force the local administrator account for backup servers.
🧠 Why it fits:
Aries doesn’t wait for permission or plan a quiet approach. They kick the door down. This attacker is just as impatient—escalating fast, ignoring stealth, and hammering credentials until something cracks.
🔍 Indicators:
100 failed logins (4625) followed by a successful login (4624)
Login attempts from untrusted IPs or TOR
Repeated attempts on the same account
📊 Data Sources:
Windows Event Logs
EDR logs
Firewall/VPN logs
Backup application logs
♉ Taurus (Apr 20 – May 20)
💥 Hypothesis:
An attacker is maintaining persistence on endpoints by registering scheduled tasks that run on startup.
🧠 Why it fits:
Taurus is slow, steady, and immovable—just like an attacker who slips in, sets up a quiet little foothold, and waits. This threat doesn’t rely on speed. It thrives on persistence and predictable routines.
🔍 Indicators:
Use of schtasks.exe or registry autoruns
Scheduled task creation with
onstarttriggersHidden or renamed binaries in temp/startup folders
Weird items in
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
📊 Data Sources:
Sysmon (Event ID 1, 13)
Windows Event Logs
Task Scheduler logs
EDR process trees
♊ Gemini (May 21 – Jun 20)
💥 Hypothesis:
An attacker is using a compromised user account to manipulate trusted internal collaboration tools (e.g., Slack, Teams, Confluence) to distribute malicious links or documents to coworkers.
🧠 Why it fits:
Geminis thrives in group chats and multitasking madness. This attacker is weaponizing trust inside fast-moving communications—playing both sides of the conversation. They’re the social engineer who blends into the team thread and drops a poisoned link between “LOL”s.
🔍 Indicators:
Messages from internal users with links to newly registered or untrusted domains
File uploads or shares that contain macros or obfuscated payloads
Accounts suddenly active in new Slack channels or Teams spaces
Behavior anomalies: high-volume messaging or doc sharing from normally quiet users
📊 Data Sources:
Collaboration platform audit logs (Slack, Teams, Google Workspace)
URL filtering / proxy logs
UEBA for behavioral baselines
DLP or CASB to flag suspicious file shares
♋ Cancer (Jun 21 – Jul 22)
💥 Hypothesis:
An insider is exfiltrating sensitive HR data containing social security numbers using personal cloud storage services outside business hours.
🧠 Why it fits:
Cancer feels deeply, protects fiercely, and never forgets a slight. This attacker is emotional and reactive—leaking sensitive data as a way to regain control or send a message. It’s personal, not just procedural.
🔍 Indicators:
Downloads of HR spreadsheets or PDFs
Uploads to personal Dropbox, Google Drive, etc.
After-hours access spikes from internal accounts
📊 Data Sources:
DLP logs
CASB tools
File access and cloud storage logs
Web logs
♌ Leo (Jul 23 – Aug 22)
💥 Hypothesis:
An attacker is impersonating Taylor Swift to trick internal users into clicking malicious links or promoting fraudulent campaigns via social media or email.
🧠 Why it fits:
Leo is all about performance, fame, and presence. This attacker is putting on a show—leveraging charisma and celebrity appeal to socially engineer victims into action.
🔍 Indicators:
Lookalike domains (e.g., tayl0rswift-press[.]com)
Emails or messages claiming partnership or collaboration with a celebrity
Traffic from email, chat, or social platforms to malicious "promo" landing pages
Engagement spikes tied to emotionally charged lures ("Win free concert tickets", "Help support the artist", etc.)
📊 Data Sources:
Email security logs
DNS logs
DLP or CASB for cloud/social link sharing
Proxy logs (outbound traffic to new or untrusted domains
♍ Virgo (Aug 23 – Sep 22)
💥 Hypothesis:
An attacker is abusing misconfigured service accounts or custom scripts to automate data access from internal systems outside of approved workflows.
🧠 Why it fits:
Virgo is all about doing things "by the book" and has no patience for sloppy shortcuts. This attacker is sneaking around with unsanctioned automation—exactly the kind of messy inefficiency Virgo cannot tolerate.
🔍 Indicators:
Scripted access to internal data (e.g., repeated scheduled reads from databases or file shares)
Use of legacy or overly-permissive service accounts
Access patterns outside of business hours but following a precise schedule (e.g., every 6 hours on the dot)
Use of tools likecurl,wget, or custom Python scripts on endpoints where they shouldn’t exist
📊 Data Sources:
Service account logs
File access or DB query logs
EDR (script execution, CLI activity)
Identity logs / UEBA for off-hour automation
♎ Libra (Sep 23 – Oct 22)
💥 Hypothesis:
An attacker is intercepting communications between clients and a web app using SSL stripping techniques on unsecured Wi-Fi.
🧠 Why it fits:
Libra wants everything in harmony—but this attacker weaponizes symmetry. Sitting silently in the middle, they pose as a trusted party, skewing both sides of a conversation while pretending everything’s just fine.
🔍 Indicators:
Sessions switching from HTTPS to HTTP midstream
Unusual certificates or cert errors
Inconsistent client IPs mid-session
📊 Data Sources:
Proxy logs
TLS/SSL inspection
Zeek logs or IDS alerts
♏ Scorpio (Oct 23 – Nov 21)
💥 Hypothesis:
An attacker is using in-memory techniques to maintain persistence without dropping files to disk, avoiding traditional detection mechanisms.
🧠 Why it fits:
Scorpio is secretive, intense, and lives in the shadows. Like malware that hides in memory, no files, no trails, just ghostlike execution that avoids detection and refuses to play by traditional rules.
🔍 Indicators:
LSASS access by unusual processes (e.g., rundll32, powershell)
In-memory-only execution of payloads (no dropped binaries)
Rare parent-child process chains
Use of tools like Cobalt Strike, Meterpreter, or ReflectiveDLLInjection
📊 Data Sources:
EDR process and memory telemetry
Sysmon (Event ID 10 – process access)
Memory dumps / volatility analysis
♐ Sagittarius (Nov 22 – Dec 21)
💥 Hypothesis:
An attacker is using the built-in wmic utility to execute remote commands across systems in multiple business units using a compromised domain user account.
🧠 Why it fits:
Sagittarius doesn’t just move—they expand. wmic lets an attacker rapidly issue commands across the environment under the radar, embodying that bold, curious, boundary-pushing spirit. It’s native. It’s fast. It’s scalable. Sagittarius isn’t here to hide; they’re here to map, move, and scale up access across departments fast.
🔍 Indicators:
Command lines invoking wmic with remote system targets (e.g.,
wmic /node:TARGET process call create)One user account initiating
wmicactivity across multiple unrelated hosts in a short timeUse of
wmicfrom non-admin workstations or user endpointsCorrelation with Event ID 4624 (logon type 3) from same account to target hosts
📊 Data Sources:
Sysmon logs (Event ID 1 – process creation)
Windows Security logs (4624, 4672, 4688)
EDR telemetry with command-line capture
Lateral movement alerts in SIEM or identity analytics
♑ Capricorn (Dec 22 – Jan 19)
💥 Hypothesis:
An attacker is using vssadmin to delete volume shadow copies as part of a ransomware campaign preparation targeting business-critical file shares.
🧠 Why it fits: Capricorn plans for maximum impact with minimal noise. This attacker is laying the groundwork for destruction—methodically, precisely, and with no room for recovery. vssadmin delete shadows is the cleanup before the finale.
🔍 Indicators:
Command-line usage of
vssadmin delete shadows /all /quietAccess to backup directories or mounted file shares shortly afterward
Use of archiving tools (e.g., 7z, WinRAR) targeting network paths
Credential theft techniques (e.g., mimikatz, lsass access) in same timeline
📊 Data Sources:
Sysmon (Event ID 1 – process creation)
Windows Event Logs (4662 for object access)
EDR process + command-line telemetry
File access logs / NAS audit trails
♒ Aquarius (Jan 20 – Feb 18)
💥 Hypothesis:
An attacker is exfiltrating sensitive data using non-standard protocols such as DNS tunneling or encrypted messaging APIs (e.g., Slack, Telegram, Discord).
🧠 Why it fits:
Aquarius doesn’t follow the crowd—and neither does this attacker. They avoid obvious channels, opting for DNS tunneling and encrypted messaging APIs to exfil data where no one’s even looking. It’s unconventional. It’s clever. It’s chaos theory.
🔍 Indicators:
Long or unusual DNS query patterns
Traffic to cloud-based messaging platforms from unexpected hosts
Use of PowerShell or Python to make web API calls
Abnormal outbound data sizes for protocol type
📊 Data Sources:
DNS logs
Proxy and firewall traffic
EDR network usage telemetry
CASB or DLP for sanctioned tool usage
♓ Pisces (Feb 19 – Mar 20)
💥 Hypothesis:
An attacker is using virtual machine detection techniques to evade analysis and delay execution of malicious payloads when run in sandboxed or emulated environments.
🧠 Why it fits:
Pisces lives in layers—dream within a dream. This attacker knows they’re being watched and only reveals their true self in the real environment, not the illusion of the sandbox. It’s all about hiding in plain sight by detecting what isn’t real enough.
🔍 Indicators:
Use of API calls like GetSystemFirmwareTable, WMI queries for
Win32_ComputerSystem,Win32_BIOS, etc.Checks for running processes associated with sandboxes (vboxservice.exe, vmtoolsd.exe)
Delayed execution or sleep functions (
Sleep,NtDelayExecution)Payloads that behave differently when run on analyst sandboxes
📊 Data Sources:
EDR behavioral analysis
Malware sandbox detonation logs
Sysmon (Event ID 1 – process creation, 10 – process access)
Memory analysis or debugger outputs
✨ Drop your threat hunt sign in the comments!✨