Threat Hunting & IOC Analysis

# Threat Hunting & IOC Analysis

## Purpose

Enable Claude to assist threat hunters with proactive threat detection, IOC extraction and normalization, MITRE ATT&CK mapping, hunt hypothesis generation, and converting threat intelligence into actionable detection rules across all major SIEM platforms.

---

## Activation Triggers

This skill activates when the user asks about:
- Extracting IOCs from threat reports, emails, or security advisories
- Mapping behaviors or TTPs to MITRE ATT&CK framework
- Generating hunt hypotheses for a specific threat actor or technique
- Creating Sigma rules, Splunk SPL queries, KQL, or EQL
- Converting threat intelligence into SIEM detection queries
- STIX/TAXII or MISP-compatible indicator formatting
- ATT&CK Navigator layer creation
- Threat intelligence correlation across multiple sources
- Proactive threat hunting in a SIEM or EDR

---

## Prerequisites

```bash
pip install requests pyyaml stix2 taxii2-client
```

**Optional platforms:**
- MISP — Threat intelligence sharing platform
- OpenCTI — Threat intelligence platform
- YARA — Pattern matching (→ Skill 05)
- Sigma CLI — Rule conversion tool
- SIEM access (Splunk, Elastic, QRadar, Microsoft Sentinel)

---

## Core Capabilities

### 1. IOC Extraction & Normalization

**When the user provides a threat report, article, email, or log snippet:**

Claude performs these extraction steps:

1. **Parse all text** for indicators using pattern matching:

| IOC Type | Pattern Examples |
|----------|----------------|
| IPv4 | `192.0.2.1`, defanged: `192[.]0[.]2[.]1` |
| IPv6 | `2001:db8::1` |
| Domain | `evil.example.com`, `evil[.]example[.]com` |
| URL | `hxxp://evil.com/path`, `https://malicious[.]io/c2` |
| Email | `attacker@evil.com`, `phish[at]evil.com` |
| MD5 | 32 hex chars |
| SHA1 | 40 hex chars |
| SHA256 | 64 hex chars |
| CVE | `CVE-2024-XXXXX` |
| ATT&CK ID | `T1059.001`, `TA0001` |
| Registry Key | `HKCU\Software\...` |
| File path | `C:\Windows\Temp\...`, `/tmp/...` |
| Mutex | Named mutex patterns |

2. **Defang extracted indicators** — refang before use:
   - `hxxp://` → `http://`
   - `[.]` → `.`
   - `[at]` → `@`
   - `[:]` → `:`

3. **Categorize by type**: Network / File / Host / Identity / Vulnerability

4. **Score by confidence**: High (specific, sourced), Medium (inferred), Low (generic)

5. **Output in multiple formats**:

```bash
python scripts/ioc_extractor.py --input threat_report.txt --output iocs.json
python scripts/ioc_extractor.py --input report.pdf --format stix --output iocs.stix.json
python scripts/ioc_extractor.py --input email.eml --defang --output iocs.csv
```

**STIX 2.1 output template:**
```json
{
  "type": "indicator",
  "id": "indicator--[uuid]",
  "created": "2025-05-28T00:00:00.000Z",
  "name": "Malicious IP — C2 Infrastructure",
  "pattern": "[ipv4-addr:value = '192.0.2.10']",
  "pattern_type": "stix",
  "valid_from": "2025-05-28T00:00:00Z",
  "labels": ["malicious-activity", "c2"],
  "confidence": 85
}
```

### 2. MITRE ATT&CK Mapping

**When the user provides TTPs, behaviors, or a malware report:**

```bash
python scripts/mitre_mapper.py --input techniques.txt --output attack_map.json
python scripts/mitre_mapper.py --technique T1059.001 --detection-query splunk
```

**Mapping process:**

1. Analyze each behavior against ATT&CK technique descriptions
2. Map to specific Tactic → Technique → Sub-technique (T1059 → T1059.001)
3. Assign confidence level based on evidence quality

**ATT&CK Tactics Reference:**
| Tactic | ID | Description |
|--------|----|-------------|
| Reconnaissance | TA0043 | Pre-attack information gathering |
| Resource Development | TA0042 | Establishing attack resources |
| Initial Access | TA0001 | Entry into target environment |
| Execution | TA0002 | Running malicious code |
| Persistence | TA0003 | Maintaining foothold |
| Privilege Escalation | TA0004 | Gaining higher permissions |
| Defense Evasion | TA0005 | Avoiding detection |
| Credential Access | TA0006 | Stealing credentials |
| Discovery | TA0007 | Understanding environment |
| Lateral Movement | TA0008 | Moving through network |
| Collection | TA0009 | Gathering data of interest |
| Command & Control | TA0011 | Communicating with compromised hosts |
| Exfiltration | TA0010 | Stealing data |
| Impact | TA0040 | Disrupting/destroying systems |

**ATT&CK Navigator Layer format** (JSON for visualization):
```json
{
  "name": "Threat Hunt Layer — [Threat Actor/Campaign]",
  "versions": {"attack": "14", "navigator": "4.9"},
  "domain": "enterprise-attack",
  "techniques": [
    {
      "techniqueID": "T1059.001",
      "color": "#ff6666",
      "comment": "Observed PowerShell download cradle",
      "enabled": true,
      "score": 100
    }
  ]
}
```

### 3. Hunt Hypothesis Generation

**When the user asks for hunt hypotheses:**

Use this structured hypothesis template:

```markdown
## Hunt Hypothesis — [ID]: [Short Name]

**Hypothesis Statement:**
"We believe [Threat Actor/TTPs] may be present in [Environment] based on
[Threat Intelligence / Recent Incidents / Industry Reports]."

**Rationale:**
[Why this threat is relevant to this organization — industry, exposure, recent news]

**ATT&CK Techniques Covered:**
- T1059.001 — PowerShell
- T1053.005 — Scheduled Task/Job
- T1021.001 — Remote Services: Remote Desktop Protocol

**Data Sources Required:**
- Windows Event Logs (Security, System, PowerShell/4104)
- EDR process execution telemetry
- DNS query logs
- Proxy/firewall logs

**Detection Logic:**
[SIEM query or pseudocode]

**Success Criteria:**
- POSITIVE: We find evidence of the technique → escalate to IR (Skill 07)
- NEGATIVE: No evidence after thorough search → document as cleared hunt
- INCONCLUSIVE: Insufficient data → identify logging gaps

**Estimated Hunt Duration:** [X hours]
**Priority:** [High / Medium / Low]
**Analyst:** [Name]
```

### 4. SIEM Detection Query Library

**When the user asks to build detection queries for specific techniques:**

#### Splunk SPL Queries

```spl