/en/tags/threat-hunting/Recent content in Threat-Hunting on Suspicious BytesHugoen-USSat, 30 May 2026 00:00:00 +0000/en/posts/detecting-lateral-movement/Sat, 30 May 2026 00:00:00 +0000/en/posts/detecting-lateral-movement/<p>Once an attacker has a foothold, the interesting part begins: moving from the first host toward whatever they actually came for. That east-west movement leaves traces if you know which events to join.</p> <h2 id="signals-worth-joining">Signals worth joining</h2> <p>Lateral movement rarely shows up as a single smoking-gun event. It emerges from correlation:</p> <ol> <li>Network logon events (<code>4624</code> type 3) from unusual sources</li> <li>Service or scheduled-task creation on the destination</li> <li>Remote process creation shortly after</li> </ol> <blockquote> <p>Correlate across hosts, not just within one. A single <code>4624</code> is noise; a chain of them following an account around the estate is a story.</p>/en/posts/starting-with-threathunting/Sat, 27 Sep 2025 00:00:00 +0000/en/posts/starting-with-threathunting/<h2 id="start-hunting-today">Start Hunting Today!</h2> <p>Threat hunting doesn&rsquo;t require enterprise tools. You can simply start with what you already have.</p> <h3 id="minimum-requirements">Minimum Requirements</h3> <p>Start with things you probably already have. Work from there, and then think about improving and growing.</p> <ul> <li><strong>Centralized logging</strong> (Sysmon, firewall, proxy logs)</li> <li><strong>Query capability</strong> (ELK, Splunk, or even grep)</li> <li><strong>Baseline knowledge</strong> of your network</li> <li><strong>2-4 hours per week</strong> of dedicated hunting time</li> </ul> <p>Baselining is the hardest part for beginners, so start small. Pick one thing you can describe as &ldquo;normal&rdquo; (which hosts talk to the internet, which accounts run as admin, what runs at startup) and write it down. That single baseline becomes the yardstick for your first hunts.</p>