TL;DR

Threat hunting isn't a luxury reserved for enterprises with round-the-clock SOCs. By adopting a hypothesis-driven approach and leveraging logs you already collect — EDR telemetry, DNS, proxy, and authentication logs — an Australian SMB can run five high-impact hunts in days, not months. This guide walks through the methodology, beginner scenarios, Sigma rule authoring, free intelligence feeds, and a step-by-step first hunt playbook you can execute this week.

Why Hypothesis-Driven Hunting Beats Waiting for Alerts

Most small teams operate in alert-driven mode: a tool fires, someone triages it, and if it's a false positive, the incident is closed. The problem is that this model assumes your detections are complete. They aren't. Threat actors — including the China-nexus and Russian GRU groups recently called out by ASD's ACSC — deliberately avoid tripping standard signatures by using legitimate credentials, living-off-the-land binaries, and stealthy command-and-control channels.

Threat hunting flips the model. Instead of reacting to what your tools flagged, you proactively search for what they missed. You start with a hypothesis — "an attacker has gained a foothold and is using PowerShell for execution" — then query your existing logs to confirm or refute it. This is called hypothesis-driven hunting, and it's grounded in the MITRE ATT&CK framework, which catalogues real-world adversary techniques (TTPs) you can hunt for systematically.

The distinction matters: alert-driven monitoring asks "what did my tools see?" while hypothesis-driven hunting asks "what would a specific adversary technique look like in my environment, and can I find evidence of it?" For an SMB facing real threats like the active ClickFix campaign distributing Vidar Stealer via compromised Australian WordPress sites, that proactive stance is the difference between catching an intruder on day one and discovering a breach six months later.

Starting With the Logs You Already Have

You don't need a million-dollar SIEM to begin hunting. Here are the high-value log sources most Australian SMBs either already collect or can enable for free:

  • EDR telemetry (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne): Process creation, command-line arguments, network connections, file modifications, and registry changes. This is your richest hunting dataset. Windows Sysmon provides a free alternative for organisations without commercial EDR.
  • Authentication logs (Entra ID, Windows Security Event Logs): Look for impossible travel, first-time logins from new geographies, and repeated failures followed by success — classic brute-force or credential-stuffing patterns.
  • DNS logs (Pi-hole, AdGuard, Cisco Umbrella, Windows DNS Analytical logs): DNS is where covert C2 channels hide. Long, high-entropy subdomain queries and anomalous query volume are red flags.
  • Proxy and firewall logs: Web traffic to newly registered domains, uncommon countries, or known malicious infrastructure. CISA's free catalog of known-bad IPs (via their advisories) is a good starting corpus.
  • Microsoft 365 / Azure AD sign-in and audit logs: Essential for detecting OAuth token abuse, mailbox rule manipulation, and consent grant attacks that are endemic in cloud environments.

If you're running Microsoft 365 Business Premium, you already have Defender for Endpoint Plan 1 and access to Advanced Hunting via the Microsoft Defender portal — a genuine hunting capability at no additional cost.

Five Beginner-Friendly Hunt Scenarios

1. Lateral Movement Detection

Hypothesis: An attacker who compromised one host is pivoting to others using legitimate remote administration tools. Query your authentication logs for one account authenticating to five or more distinct hosts in a 24-hour window. Pivot to network logs to confirm the source. Flag any internal-to-internal SMB (port 445), RDP (3389), or WinRM (5985/5986) connections initiated by accounts that don't normally make them. This hunt directly targets the lateral movement techniques used in both the China-nexus device-compromise advisory and the GRU logistics-sector campaign.

2. Living-off-the-Land Binaries (LotL)

Hypothesis: An attacker is executing code through trusted Windows utilities to evade application allow-listing. Hunt for process executions of certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, wmic.exe, and bitsadmin.exe — especially when invoked with download or decode parameters or from unusual parent processes. MITRE ATT&CK technique T1218 (System Binary Proxy Execution) is your reference here. Create a baseline of normal usage first; anything outside it deserves scrutiny.

3. Unusual PowerShell Activity

PowerShell is the workhorse of both administrators and attackers. Hunt for: encoded commands (-EncodedCommand or -enc), execution policy bypass flags (-ExecutionPolicy Bypass), PowerShell launched from Office applications or cmd.exe, and Invoke- cmdlets associated with post-exploitation frameworks (Cobalt Strike, Empire). Enable PowerShell Script Block Logging (Event ID 4104) if you haven't — it captures the deobfuscated script content, which is invaluable for understanding what an attacker actually executed.

4. DNS Tunneling Indicators

Hypothesis: Malware is exfiltrating data or receiving C2 instructions over DNS to bypass egress filtering. Hunt for DNS queries with subdomains exceeding 50 characters, unusually high query entropy, or a single host generating disproportionate DNS traffic to an obscure resolver. Tools like dnstwist and the RTA (Real-Time Analytics) queries in tools like Zeek or Suricata can automate this. Given that the active ClickFix/Vidar campaign and state-sponsored operations both rely on stealthy C2, this hunt frequently yields results.

5. After-Hours RDP and Authentication

Hypothesis: A compromised account is being used outside normal business hours. Define your organisation's standard working window (for most Australian SMBs, 7am–7pm AEST), then query for successful authentications outside that window — especially RDP sessions from external IPs. Correlate with the user's historical baseline. This is one of the highest-signal, lowest-effort hunts and regularly catches both insider threats and external attackers who prefer to operate when nobody's watching.

Detection Engineering: From Hunt to Permanent Detection

When a hunt finds something, don't just close the ticket — convert it into a permanent detection. That's detection engineering. The industry standard format for sharing and deploying detections is Sigma, an open YAML-based rule language that works across SIEM platforms (Splunk, Elastic, Microsoft Sentinel, and dozens of others).

Here's a minimal Sigma rule for the after-hours RDP hunt:

title: RDP Login Outside Business Hours
status: experimental
description: Detects successful RDP authentications outside standard hours
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
    timeframe: 24h
    condition: selection
falsepositives:
    - Legitimate after-hours maintenance
level: medium

Convert Sigma rules to your SIEM's native query syntax using sigconverter.io or the sigmac CLI. Tune aggressively in the first two weeks: every false positive is noise that erodes trust in your alerts. The goal is a detection your small team can actually triage without alert fatigue.

Open-Source Threat Intelligence Feeds

Hunting is far more effective when enriched with current intelligence. These free feeds are directly relevant to Australian organisations:

  • MITRE ATT&CK: The foundational framework mapping adversary TTPs. Use it to structure hypotheses and select hunt targets.
  • MISP (Malware Information Sharing Platform): Open-source threat intel platform. The ASD ACSC and CERT Australia publish indicators through MISP communities. Self-host or join a community feed.
  • Abuse.ch: Multiple focused feeds — URLhaus (malicious URLs), MalwareBazaar (malware samples), ThreatFox (IOCs). Query via API for automated enrichment.
  • CISA Known Exploited Vulnerabilities (KEV) Catalog: The authoritative list of CVEs being actively exploited in the wild — including the current cPanel/WHM critical vulnerability (CVE-2026-4194) flagged by ASD.
  • ASD ACSC Alerts and Advisories: Subscribe to the ACSC alert service for Australia-specific threats. The current advisories on ClickFix/Vidar targeting Australian infrastructure and China-nexus covert device networks are actionable right now.

Building a Threat Hunting Program on a Budget

You don't need a SOC to hunt. You need a rhythm. Start with a monthly hunting cadence — one hypothesis, one scenario, one afternoon. Document every hunt in a simple register: the hypothesis, the data queried, the findings, and any detection created. Within a quarter, you'll have a repeatable program. Prioritise hunts that map to threats in the ACSC advisories relevant to your sector. Use your existing Microsoft 365 or SIEM licensing before buying new tooling — most teams are using a fraction of what they've already paid for.

First Hunt Playbook: After-Hours RDP in 7 Steps

  1. Define the hypothesis: A compromised account is authenticating via RDP outside business hours (7am–7pm AEST, Monday–Friday).
  2. Confirm log coverage: Ensure Windows Security Event ID 4624 (successful logon) with LogonType 10 (RemoteInteractive) is being collected. Check in Defender for Endpoint, your SIEM, or on the domain controller.
  3. Pull 30 days of RDP events: Filter for EventID 4624 AND LogonType 10 AND time outside the business-hours window.
  4. Establish a baseline: For each account that appears, check whether this is genuinely anomalous — did they log in after-hours previously? Admins and on-call staff will generate noise.
  5. Investigate anomalies: For any unexplained sessions, pivot to network logs for the source IP. Is it Australian? Is it a known VPN or residential range? Cross-reference against Abuse.ch and the CISA KEV.
  6. Document findings: Record the account, source IP, timestamps, and your assessment. If you find a real intrusion, escalate to incident response immediately.
  7. Convert to a detection: Author a Sigma rule (as shown above), deploy it in your SIEM, and tune for two weeks. This is now a permanent automated control.

FAQ

Do I need a SIEM to start threat hunting? No. You can begin with Microsoft Defender for Endpoint's Advanced Hunting, PowerShell scripts querying Windows Event Logs, or even a spreadsheet exporting DNS logs. A SIEM makes hunting faster and more scalable, but the methodology works with raw log access.

How often should a small team hunt? Start monthly. Even four hours per month of focused hunting delivers meaningful coverage. As your detections mature and false positives decrease, increase to fortnightly or weekly for high-priority scenarios like after-hours access and PowerShell abuse.

What's the difference between threat hunting and incident response? Hunting is proactive — you're searching for threats you haven't been alerted to. Incident response is reactive — you're responding to a confirmed or suspected incident. Hunting often leads to incident response when it uncovers a real compromise.

How do I justify the time investment to leadership? Frame it in terms of risk reduction and breach cost. The ACSC reports that the average cost of a cyber incident to an Australian business continues to rise. A monthly hunt that catches an intruder on day three instead of month six can prevent what would otherwise be a business-ending breach. The current threat landscape — active exploitation of cPanel, Vidar Stealer targeting Australian WordPress sites, state-sponsored campaigns — makes the case for itself.

Conclusion

Threat hunting is a mindset shift: from passively waiting for alerts to actively searching for adversaries in your environment. For an Australian SMB, the barriers to entry are lower than most assume — your existing logs, free tools like Sigma and MITRE ATT&CK, and intelligence feeds from the ACSC and CISA are enough to start this week. Begin with the after-hours RDP hunt, convert what you find into a permanent detection, and build from there. Consistency beats complexity every time.

Ready to strengthen your detection capabilities? Visit consult.lil.business for a free cybersecurity assessment — we'll help you identify your highest-value log sources, map hunts to the threats most relevant to your business, and build a program that fits your team and budget.

References

  1. MITRE ATT&CK Framework
  2. Sigma Rule Specification
  3. ASD ACSC — ClickFix Distributing Vidar Stealer Advisory
  4. CISA Known Exploited Vulnerabilities Catalog
  5. SANS Institute — Threat Hunting Resources

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation