Opsio - Cloud and AI Solutions
CybersecurityMDRSOC7 min readΒ· 1,495 words

Threat Hunting in MDR: How Modern SOCs Find What Detection Rules Miss

Published: Β·Updated: Β·Reviewed by Opsio Engineering Team
Fredrik Karlsson
Fredrik Karlsson

Group COO & CISO

Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments

Threat Hunting in MDR: How Modern SOCs Find What Detection Rules Miss

Detection rules catch the attacks you have already seen. Threat hunting catches the rest. Every credible MDR engagement in 2026 includes a hunting deliverable because every credible threat report β€” Mandiant M-Trends, CrowdStrike Global Threat Report, the Verizon DBIR β€” confirms the same point: median dwell time has compressed but the long tail of intrusions still runs 30, 60, 90 days before something trips a rule. Hunting is how that tail gets shorter.

This article walks through how a modern SOC actually hunts: the hypothesis-driven loop, the data sources you need wired in, the queries that work in Microsoft Sentinel KQL and Splunk SPL, and the deliverable that distinguishes a real hunt from "we ran some greps and called it a hunt." The audience is CISOs and SOC managers buying MDR or scaling an in-house team β€” the parts that matter for evaluating both.

Why Detection Rules Aren't Enough

The structural problem with rule-only detection is that rules encode known bad. They are written after a technique is published, observed, or attributed. Three failure modes follow:

  • Living-off-the-land binaries (LOLBins) β€” certutil.exe downloading, regsvr32.exe executing scriptlets, rundll32.exe staging payloads, bitsadmin.exe persistence. The binaries are signed Microsoft tooling; rule-based detection drowns in false positives.
  • Identity attacks β€” T1078 Valid Accounts, T1539 Steal Web Session Cookie, OAuth consent grants. The login is technically valid; only behavioural baselines distinguish attacker from user.
  • Slow burns β€” once-a-day beaconing, weekly data staging, single-domain DNS exfiltration. Rate-based rules miss anything below the threshold.

The CrowdStrike Global Threat Report 2024 noted that 75% of detections were malware-free, relying on identity abuse, LOLBins, and legitimate remote-access tools. Rule libraries cannot keep pace. Hunting fills the gap by starting from a hypothesis instead of a signature.

The Hypothesis-Driven Hunt Loop

Real hunting follows a four-step loop, repeated every 1-2 weeks per analyst.

  1. Hypothesis β€” a falsifiable statement tied to an ATT&CK technique. Example: "An adversary is using T1133 External Remote Services via an exposed Citrix gateway to harvest valid credentials, then using T1078 to access internal SaaS without triggering MFA."
  2. Data scoping β€” list the telemetry needed: NetFlow, Citrix audit logs, Entra ID sign-in logs, MFA outcome events, SaaS audit trails. Confirm each is in the SIEM with sufficient retention.
  3. Query and triage β€” write the queries, review results, escalate true positives to incident, document false positives so the next hunt skips them.
  4. Output β€” a written hunt report including hypothesis, data sources, findings, new detections produced, and ATT&CK coverage delta.

The deliverable is what separates a hunt from a fishing expedition. If the engagement does not produce a report and at least one new detection rule (added to your library, not just the provider's), the hunt did not happen.

Free Expert Consultation

Need expert help with threat hunting in mdr?

Our cloud architects can help you with threat hunting in mdr β€” from strategy to implementation. Book a free 30-minute advisory call with no obligation.

Solution ArchitectAI ExpertSecurity SpecialistDevOps Engineer
50+ certified engineersAWS Advanced Partner24/7 support
Completely free β€” no obligationResponse within 24h

Hunt 1: Suspicious OAuth Application Consents

OAuth-consent attacks (illicit consent grants) bypass MFA entirely because the user is genuinely consenting β€” to a malicious application masquerading as legitimate. The 2024 wave of "Tycoon 2FA" and "EvilProxy" kits made this the dominant identity attack against Microsoft 365 tenants. The KQL hunt against Sentinel:

// Find OAuth consents to apps with high-risk delegated permissions in last 14 days
let HighRiskScopes = dynamic([
    "Mail.ReadWrite", "Mail.Send", "MailboxSettings.ReadWrite",
    "Files.ReadWrite.All", "Sites.ReadWrite.All",
    "Directory.ReadWrite.All", "User.ReadWrite.All"
]);
AuditLogs
| where TimeGenerated > ago(14d)
| where OperationName == "Consent to application"
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend ConsentType = tostring(parse_json(tostring(TargetResources[0].modifiedProperties[4].newValue))[0].ConsentType)
| extend Scopes = tostring(parse_json(tostring(TargetResources[0].modifiedProperties[4].newValue))[0].Scope)
| where Scopes has_any (HighRiskScopes)
| extend Granter = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, Granter, TargetApp, ConsentType, Scopes
| order by TimeGenerated desc

True positives go to incident. False positives feed an allow-list of known internal apps. Run this hunt monthly; it surfaces consent attacks that no signature-based rule reliably catches.

Hunt 2: Beaconing C2 Below the Noise Floor

Cobalt Strike, Sliver, Mythic, and Brute Ratel all support sub-hourly jitter and randomised sleep. Time-windowed rate rules miss them. The hunting approach is to look at the regularity of outbound connections per host-destination pair, not the volume.

In Splunk SPL against firewall or proxy logs:

index=proxy earliest=-7d
| stats count, dc(_time) as connections, range(_time) as span,
        avg(eval(_time)) as avg_t, var(eval(_time)) as var_t
        by src, dest_host
| where connections > 50 AND span > 86400
| eval interval_mean = span / connections
| eval coefvar = sqrt(var_t) / avg_t
| where coefvar < 0.05
| sort 0 - connections

A coefficient of variation below 0.05 means connections are arriving at near-perfect intervals β€” human web traffic does not look like that. The query surfaces beaconing without needing a known-bad domain list. Pair it with a Wazuh agent rule that flags any process making the matching outbound connection, and you have a closed loop.

Hunt 3: Lateral Movement via Valid Credentials

T1078 Valid Accounts plus T1021.002 SMB/Windows Admin Shares is the LockBit and BlackCat (ALPHV) bread-and-butter β€” pre-Operation Cronos and post. The hunt looks for unusual source/destination pairs in NTLM and Kerberos authentication.

// Sentinel KQL: workstation-to-workstation auth β€” almost always suspicious
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4624
| where LogonType in (3, 10)  // Network or RDP
| where Computer endswith "$" or Computer matches regex @"^WS\d"
| where SourceWorkstation endswith "$" or SourceWorkstation matches regex @"^WS\d"
| where Computer != SourceWorkstation
| summarize Sessions = count(), DistinctUsers = dcount(TargetUserName)
    by Computer, SourceWorkstation, bin(TimeGenerated, 1d)
| where Sessions > 3
| join kind=leftouter (
    DeviceProcessEvents
    | where InitiatingProcessFileName in~ ("psexec.exe", "wmic.exe", "winrs.exe")
) on $left.Computer == $right.DeviceName

Servers authenticating to servers is normal; workstations authenticating to other workstations almost never is, except for IT support tooling that you allow-list. Joining to DeviceProcessEvents for PsExec, WMIC, and WinRS is the corroborating signal.

Hunt 4: Pre-Encryption Staging

The signature of T1486 Data Encrypted for Impact is that ransomware actors stage data before they encrypt β€” they want exfiltration leverage if encryption fails. The pre-encryption window is typically 24-72 hours and is where MDR earns its retainer. Indicators in CrowdStrike or Defender for Endpoint telemetry:

  • Sudden archive creation (7z.exe, WinRAR.exe, rar.exe) outside backup-job paths
  • vssadmin delete shadows or wmic shadowcopy delete β€” T1490 Inhibit System Recovery
  • RClone, MEGAsync, Restic, or AnyDesk processes on hosts that have never run them before
  • Reading more than 10K files across multiple shares within 1 hour by a single account

Defender for Endpoint advanced hunting query:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("rclone.exe", "megasync.exe", "restic.exe", "winscp.com")
| join kind=leftouter (
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | summarize FilesCreated = count() by DeviceId, bin(Timestamp, 1h)
    | where FilesCreated > 1000
) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FilesCreated

Hits go straight to P1 incident. The Operation Cronos LockBit takedown in February 2024 and the BlackCat self-shutdown that followed have not eliminated the affiliate model β€” the same pre-encryption signature shows up in RansomHub, Akira, and Play campaigns through 2025-2026.

Deliverable Rubric and the Hunting Stack

Evaluate every MDR or in-house hunt deliverable against this rubric:

Deliverable elementReal huntTheatre
HypothesisFalsifiable, tied to ATT&CK technique ID"Looking for suspicious activity"
Data sourcesNamed indices, retention confirmed"All available logs"
Query artefactsKQL/SPL/Sigma exported and version-controlledVerbal walkthrough
OutputFindings, new detection rules, ATT&CK coverage delta"No findings, all clear"
Frequency1 hunt per fortnight per scope"Continuously hunting"

"Continuously hunting" without artefacts is not hunting β€” it is automated detection rebadged. The artefact discipline is what makes the practice cumulative; over 12 months a SOC builds a library of hypotheses, queries, and detections that survives analyst churn.

The hunting stack is not identical to the alerting stack. Hunters need fast ad-hoc query, broad telemetry, and lookups that reach beyond the SIEM.

  • Microsoft Sentinel + Defender XDR β€” KQL across endpoint, identity, email, cloud in one query plane. The strongest hunting surface for Microsoft estates and the foundation we deploy in our Azure Sentinel managed service.
  • Splunk Enterprise Security β€” SPL flexibility, mature lookup tables, ES Risk-Based Alerting for hunt-to-detection promotion.
  • Elastic Security β€” open-stack hunting with EQL plus KQL syntax, strong fit for organisations already on the ELK stack.
  • Sumo Logic, Wazuh β€” viable for smaller environments where hunting is a quarterly exercise rather than a fortnightly cadence.
  • Velociraptor β€” endpoint-side hunting language for forensic-grade artefacts; pairs well with any of the above.

How Opsio Helps

Opsio runs a hypothesis-led hunt cadence inside our managed detection and response services, with fortnightly hunts mapped to ATT&CK techniques relevant to each customer's industry, version-controlled query artefacts you keep on contract termination, and a written report tracking ATT&CK coverage delta over time. The hunt programme integrates with our broader cybersecurity service provider deliverables β€” penetration testing findings feed hunting hypotheses, and detection content from hunts feeds back into the SOC's automated rule library.

About the Author

Fredrik Karlsson
Fredrik Karlsson

Group COO & CISO at Opsio

Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments

View all articles β†’LinkedIn

Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β€” we recommend solutions based on technical merit, not commercial relationships.