Threat Hunting Guide

This guide provides a complete reference for threat hunting in RhythmX — from query syntax to real-world hunting scenarios mapped to MITRE ATT&CK.

Query Syntax Reference

Basic Search

Syntax	Example	Description
`field:value`	`login:admin`	Exact field match
`field:value*`	`login:admin*`	Wildcard — starts with
`field:value`	`login:admin`	Wildcard — contains
`field:value?`	`status:0xc00000?a`	Single character wildcard
`*`	`*`	Match all events
`free text`	`powershell`	Search in raw log message
`"quoted text"`	`"failed login"`	Exact phrase in log message

Boolean Operators

Operator	Example	Description
`AND`	`login:admin AND event_id:4625`	Both conditions must match (default)
`OR`	`login:admin OR login:root`	Either condition matches
`NOT`	`NOT event_id:4624`	Exclude matching events
`-`	`-event_id:4624`	Exclude shorthand (same as NOT)
`NOT (...)`	`NOT (login:svc* OR login:$*)`	Exclude grouped conditions

Field Names

RhythmX supports both the raw Elasticsearch field names and friendly aliases. Use whichever you prefer — both work identically.

Identity & User:

Field	Alias	Description	Example
`login`	`user`	Username / login name	`login:john.doe` or `user:john.doe`
`account`		Account name	`account:administrator`
`group`		Group name	`group:Domain Admins`
`domainOrigin`	`domain`	Domain name	`domain:CORP`
`sender`		Email sender	`sender:*@external.com`
`recipient`		Email recipient	`recipient:ceo@company.com`

Network:

Field	Alias	Description	Example
`originIp`	`src_ip`, `origin_ip`	Source IP address	`src_ip:192.168.1.*`
`impactedIp`	`dst_ip`, `impacted_ip`	Destination IP address	`dst_ip:10.0.0.5`
`originPort`	`src_port`	Source port	`src_port:445`
`impactedPort`	`dst_port`	Destination port	`dst_port:3389`
`originHostName`	`host`, `src_host`	Source hostname	`host:WKS-*`
`impactedHostName`	`dst_host`	Destination hostname	`dst_host:DC01`
`protocolName`	`protocol`	Protocol	`protocol:SMB`
`directionName`	`direction`	Traffic direction	`direction:outbound`

Event Classification:

Field	Alias	Description	Example
`commonEventName`	`event`, `event_type`	Event type	`event:Logon`
`msgClassName`	`classification`	Classification	`classification:Authentication`
`vendorMessageId`	`event_id`	Event ID (Windows, etc.)	`event_id:4625`
`action`		Action taken	`action:blocked`
`status`		Event status	`status:failure`
`result`		Result	`result:denied`
`priority`		Log priority	`priority:high`
`severity`		Severity level	`severity:critical`

Process & Endpoint:

Field	Alias	Description	Example
`process`		Process name	`process:powershell.exe`
`parentProcessName`	`parent_process`	Parent process	`parent_process:cmd.exe`
`command`		Command line	`command:-encodedcommand`
`application`		Application name	`application:Microsoft Office`
`object`		Object accessed	`object:password`
`hash`		File hash	`hash:44d88612fea8a8f36de82e12`

Geolocation:

Field	Alias	Description	Example
`originLocationName`	`country`	Source location/country	`country:Russia`
`impactedLocationName`	`impacted_country`	Dest location	`impacted_country:China`
`originCountry`		Source country (derived)	`originCountry:France`
`entityName`	`entity`	LogRhythm entity	`entity:London`

Log Source:

Field	Alias	Description	Example
`logSourceName`	`log_source`	Log source name	`log_source:Firewall`
`msgSourceTypeName`	`log_source_type`	Source type	`log_source_type:Windows`

Threat & Security:

Field	Alias	Description	Example
`threatName`	`threat`	Threat name	`threat:Trojan`
`cve`		CVE identifier	`cve:CVE-2024-*`
`mpeRuleName`	`rule`	MPE rule name	`rule:brute`
`url`		URL	`url:malicious.com`
`userAgent`	`user_agent`	User agent string	`user_agent:curl`

Advanced Patterns

Combining multiple conditions:

login:admin AND event_id:4625 AND originIp:192.168.*

OR groups with exclusions:

(login:admin OR login:administrator) AND NOT originIp:10.0.0.*

Multiple field exclusions:

event_id:4624 -login:SYSTEM -login:$* -login:DWM-*

Command line hunting (auto-detected literal search):

c:\windows\system32\cmd.exe /c whoami

Quoted exact match for fields with special characters:

command:"powershell -enc JABjAGwA"

Timeframe Options

Option	Range
Last 15 minutes	Most recent events
Last 1 hour	Short-term investigation
Last 4 hours	Shift-based review
Last 12 hours	Half-day review
Last 24 hours	Full day
Today	Since midnight
Yesterday	Midnight to midnight
Last 7 days	Weekly review
Last 30 days	Monthly compliance
Last 90 days	Quarterly audit
Custom	Any date range

Threat Hunting Scenarios

1. Brute Force Attack Detection

MITRE ATT&CK: T1110 — Brute Force

What to look for: High volume of failed authentication events from the same source.

Queries:

event_id:4625

Windows failed logon events.

event_id:4625 AND login:admin*

Failed logons targeting admin accounts.

event_id:4625 AND originIp:192.168.1.50

Failed logons from a specific IP.

event_id:4625 AND NOT login:$* AND NOT login:SYSTEM

Failed logons excluding machine accounts and SYSTEM.

What to do: Check if the same source IP has many failures followed by a success (4624). Filter by 15m or 1h timeframe to see the burst.

2. Password Spraying

MITRE ATT&CK: T1110.003 — Password Spraying

What to look for: One IP trying the same password against many accounts.

Queries:

event_id:4625 AND status:*0xc000006d*

Bad password attempts (status code 0xc000006d).

event_id:4625 AND originIp:10.* AND NOT login:$*

Internal failed logons (potential insider).

Tip: Use the Top Users widget to see which accounts are being targeted. If many accounts fail from the same IP in a short window, it's a spray.

3. Lateral Movement

MITRE ATT&CK: T1021 — Remote Services

What to look for: A user authenticating to multiple hosts in a short time.

Queries:

event_id:4624 AND logonType:3

Network logons (type 3 = remote authentication).

event_id:4624 AND logonType:3 AND login:john.doe

Specific user's remote logons.

event_id:4624 AND logonType:10

RDP logons (type 10).

impactedPort:445 AND directionName:outbound

SMB connections (file share / lateral movement).

impactedPort:3389 AND originIp:10.*

Internal RDP connections.

impactedPort:5985 OR impactedPort:5986

WinRM/PowerShell remoting connections.

Tip: Use 1h or 4h timeframe. Check the Top Impacted Hosts widget — if one user touches 5+ hosts, investigate.

4. PowerShell Abuse

MITRE ATT&CK: T1059.001 — PowerShell

What to look for: Encoded commands, download cradles, suspicious cmdlets.

Queries:

process:powershell*

All PowerShell activity.

process:powershell* AND command:*-enc*

Encoded PowerShell commands (common in malware).

process:powershell* AND command:*downloadstring*

Download cradle — fetching code from internet.

process:powershell* AND command:*invoke-expression*

Dynamic code execution (IEX).

process:powershell* AND command:*bypass*

Execution policy bypass attempts.

process:powershell* AND command:*-nop* AND command:*-w hidden*

Hidden PowerShell window (living off the land).

Tip: Switch widget to Top Commands to see the full command lines.

5. Credential Dumping

MITRE ATT&CK: T1003 — OS Credential Dumping

What to look for: Known credential dumping tools or access to sensitive processes.

Queries:

process:*mimikatz* OR process:*procdump* OR process:*sekurlsa*

Known credential dumping tools.

process:*lsass* AND NOT process:lsass.exe

Tools accessing LSASS (credential storage process).

event_id:4656 AND objectName:*SAM*

Access to SAM database (password hashes).

event_id:4662 AND objectName:*Directory Service*

DCSync — replicating Active Directory credentials.

event_id:4672 AND login:* AND NOT login:SYSTEM AND NOT login:$*

Special privilege assignment to non-system accounts.

6. Persistence Mechanisms

MITRE ATT&CK: T1053 — Scheduled Task/Job, T1547 — Boot/Logon Autostart

What to look for: New scheduled tasks, services, or registry autorun entries.

Queries:

event_id:4698

Scheduled task created.

event_id:4702

Scheduled task updated.

event_id:7045

New service installed.

event_id:4657 AND objectName:*Run*

Registry Run key modification (autostart).

process:schtasks* AND command:*/create*

Scheduled task creation via command line.

process:sc.exe AND command:*create*

Service creation via command line.

7. Defense Evasion

MITRE ATT&CK: T1562 — Impair Defenses

What to look for: Security tools being disabled, logs being cleared.

Queries:

event_id:1102

Windows Security event log cleared.

event_id:104

System event log cleared.

process:*netsh* AND command:*advfirewall*

Firewall rule modifications.

command:*Set-MpPreference* AND command:*-DisableRealtimeMonitoring*

Windows Defender disabled via PowerShell.

process:*wevtutil* AND command:*cl*

Event log clearing via wevtutil.

8. Data Exfiltration

MITRE ATT&CK: T1048 — Exfiltration Over Alternative Protocol

What to look for: Large data transfers, unusual outbound connections.

Queries:

directionName:outbound AND impactedPort:443

HTTPS outbound connections (common for exfiltration).

directionName:outbound AND NOT impactedPort:80 AND NOT impactedPort:443

Non-standard outbound connections.

protocolName:DNS AND originIp:10.*

DNS traffic from internal hosts (DNS tunneling).

directionName:outbound AND impactedPort:53

Direct DNS queries (bypassing corporate DNS).

Tip: Sort by bytes out to find the largest transfers.

9. Living Off the Land (LOLBins)

MITRE ATT&CK: T1218 — System Binary Proxy Execution

What to look for: Legitimate Windows tools used for malicious purposes.

Queries:

process:certutil* AND command:*urlcache*

Certutil downloading files from internet.

process:mshta* AND command:*http*

MSHTA executing remote scripts.

process:bitsadmin* AND command:*/transfer*

BITS transfer downloading files.

process:regsvr32* AND command:*/s /n /u*

Regsvr32 proxy execution (squiblydoo).

process:rundll32* AND command:*javascript*

Rundll32 executing script code.

process:wmic* AND command:*process call create*

WMIC creating processes remotely.

process:msiexec* AND command:*http*

MSI installer from remote URL.

10. Ransomware Indicators

MITRE ATT&CK: T1486 — Data Encrypted for Impact

What to look for: Volume shadow copy deletion, mass file encryption indicators.

Queries:

process:vssadmin* AND command:*delete shadows*

Shadow copy deletion (ransomware pre-encryption).

process:bcdedit* AND command:*recoveryenabled no*

Boot recovery disabled.

process:wbadmin* AND command:*delete catalog*

Backup catalog deletion.

command:*cipher /w*

Cipher wiping deleted file data.

process:icacls* AND command:*/grant Everyone*

Permission changes for mass access.

11. Reconnaissance

MITRE ATT&CK: T1087 — Account Discovery, T1018 — Remote System Discovery

What to look for: Internal scanning, enumeration commands.

Queries:

process:net.exe AND command:*user /domain*

Domain user enumeration.

process:net.exe AND command:*group "Domain Admins"*

Domain admin enumeration.

process:nltest* AND command:*/dclist*

Domain controller discovery.

process:nslookup* OR process:ping.exe OR process:tracert*

Network reconnaissance.

process:arp.exe AND command:*-a*

ARP table discovery.

process:systeminfo*

System information gathering.

12. Golden Ticket / Kerberos Attacks

MITRE ATT&CK: T1558.001 — Golden Ticket

What to look for: Kerberos ticket anomalies, TGT manipulation.

Queries:

event_id:4768 AND status:*0x0*

Successful Kerberos TGT requests.

event_id:4769 AND NOT login:$*

Service ticket requests from non-machine accounts.

event_id:4771

Kerberos pre-authentication failed.

event_id:4769 AND impactedHostName:krbtgt

KRBTGT service ticket (potential golden ticket).

Hunting Workflow

Step 1: Start Broad

Begin with a wide timeframe (7d or 30d) and a general query like event_id:4625 to understand the volume.

Step 2: Use Widgets

Check the Top Users, Top Source IPs, and Top Hosts widgets to identify patterns.

Step 3: Narrow Down

Add filters using the field panel or click values in widgets to drill down.

Step 4: Check Timeline

Look for spikes in the timeline — unusual bursts often indicate automated attacks.

Step 5: Pivot

Once you find a suspicious actor, pivot to the RhythmX Investigator to see their full activity timeline across all log sources.

Step 6: Export

Export the results for evidence or reporting. Use Export to Server for large datasets (millions of rows).

Quick Reference Card

# Find all failed logins in last hour
event_id:4625                              timeframe: 1h

# Exclude service accounts
event_id:4625 -login:$* -login:SYSTEM

# Lateral movement via RDP
event_id:4624 AND logonType:10             timeframe: 4h

# PowerShell encoded commands
process:powershell* AND command:*-enc*            timeframe: 24h

# Suspicious scheduled tasks
event_id:4698 OR event_id:4702      timeframe: 7d

# Shadow copy deletion (ransomware)
process:vssadmin* AND command:*delete*            timeframe: 1h

# Large outbound transfers
directionName:outbound                            sort: bytes_out desc

# All activity from specific user
login:john.doe                                    timeframe: 30d

For more information, see RhythmX Hunt for interface details and Risk Scoring Model for how risk is calculated.