Threat Hunting¶
Status: Planned — Issue #983
Standards: MITRE ATT&CK, PEAK Framework, Cyber Kill Chain
Source: archer/th/ (not yet created)
The threat hunting domain enables proactive hunt operations against security data — querying existing telemetry to surface threats before alerts fire. It is the first domain built for external data integration, with Security Onion / Elasticsearch as the primary data layer.
Design Principles¶
Minimal footprint. Unlike penetration testing, the TH domain instructs the model to observe and query — never to touch or modify the environment. The system prompt, hints, and halt logic all enforce this constraint.
Structured lead output. Hunt sessions produce structured leads (host, indicator, confidence, evidence) routed directly into SO cases — not free-form narrative.
Local reasoning. All inference runs on the analyst workstation via Ollama. Hunt data stays within the analyst's environment.
Planned Plays¶
| Play | Description | Target Data Source |
|---|---|---|
th_c2_beaconing |
Identify periodic outbound connections consistent with C2 beaconing | Zeek conn.log / SO Elasticsearch |
th_lateral_movement |
Detect internal host-to-host access patterns (SMB, WMI, PSExec, RDP) | Zeek, Suricata, Windows event logs |
th_credential_access |
Surface Kerberoasting, spray patterns, failed auth spikes | Windows event logs, Suricata |
th_persistence |
Identify scheduled tasks, registry run keys, new services | Sysmon, Windows event logs |
th_exfiltration |
Detect large/anomalous outbound data transfers | Zeek conn.log, Strelka |
th_living_off_land |
Surface LOLBin abuse (certutil, mshta, regsvr32, powershell encoded) | Sysmon, Windows event logs |
SkillBridge Integration¶
The SO-integrated TH skill pack is the target of the SkillBridge engagement with Security Onion. The adapter queries SO's Elasticsearch layer directly (community-accessible — not Pro-gated) and routes structured hunting leads back into SO cases.
See C4 Context Diagram for the full integration picture.
Implementation Tracking¶
- #983 — Hunt-play YAML format and TH domain foundation
- #847 — LoRA adapter training for Tier 2 skills (blocked on #846)
- #846 — Corpus quality gate (blocked on #971 auditor verification)