Behind the Scenes: The Daily Grind of Threat Hunter

Kostas
7 min readNov 29, 2023

I recently shared a command on Twitter and asked folks if they thought this was something fishy. I want to take this opportunity to walk you through the steps that a threat hunter takes in day-to-day operations. This includes formulating a hypothesis, developing a query, and conducting an investigation.

Below is the poll I shared on Twitter and the final results that show the majority of people who thought this activity was malicious.

The command:
"cmd.exe" /d /c "C:\Users\<user>\AppData\Roaming\cmk.exe /d /c whoami"

In the comments, most people shared that the command and the surrounding context could be malicious and warranted a closer look. Although I wrote up a detailed response highlighting the steps I took to investigate this, I decided to document everything through a blog post so everyone could use it as a reference, as not everyone has a Twitter account.

--

--

Kostas

I am a security researcher. My interests lie in #ThreatIntel, #malware, #IR & #Threat_Hunting. I either post here or at http://thedfirreport.com/