The process of searching for the presence of or information about an adversary.
Typically the search is informed by intelligence on adversary TTPs and infrastructure. Within the defender's environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement.
|DOS0245||If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools.|
|DUC0245||A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.|
|DPR0039||Pivot on Command and Control information to identify other infrastructure used by the same adversary.|
|DPR0065||Use information about an adversary's TTPs to perform retroactive searches for any activity that have gone undetected.|
|T1568||Dynamic Resolution||Command and Control|