Threat Hunting

Loading hunt data...

Active Campaigns

127

Total Findings

Rules Generated

256

Queries in Library

Active Campaigns

APT29 Cozy Bear Activity

Active

Adversary is using WellMess malware for initial access via spear-phishing and leveraging LDAP queries for discovery

T1566.001T1087.002T1018

12 queries23 findings2026-02-15

Living off the Land Binaries

Active

Threat actors are abusing LOLBins (certutil, mshta, regsvr32) for defense evasion and execution

T1218.005T1218.010T1140

8 queries45 findings2026-02-20

Cloud Token Theft

Draft

Attackers are stealing OAuth tokens from compromised workstations to access cloud services

T1528T1550.001

5 queries0 findings2026-02-28

Ransomware Precursors

Completed

Pre-ransomware activity including Cobalt Strike beacon deployment and lateral movement via PsExec/WMI

T1570T1021.002T1059.001

15 queries59 findings2026-01-10

Query Library

6 queries

Suspicious PowerShell Encoded Commands

T1059.001

Detects PowerShell processes launched with base64-encoded commands commonly used by threat actors.

Execution

LDAP Discovery Queries

T1087.002

Identifies processes performing LDAP queries to enumerate domain accounts and groups.

Discovery

Certutil Download Cradle

T1140

Detects certutil.exe being used to download and decode files, a common LOLBin abuse technique.

Defense Evasion

OAuth Token Theft via Browser

T1528

Identifies suspicious access patterns to browser token stores that may indicate OAuth token theft.

Credential Access

PsExec Lateral Movement

T1021.002

Detects PsExec-style lateral movement by monitoring SMB connections and named pipe creation.

Lateral Movement

Cobalt Strike Beacon DNS

T1071.004

Detects potential Cobalt Strike DNS beaconing by identifying high-frequency DNS queries with suspicious patterns.

Command and Control