100+ Free ATT&CK Threat Hunting Practice Questions

Explanation: TTP-based threat hunting is a proactive discipline that uses adversary Tactics, Techniques, and Procedures—structured within the ATT&CK framework—as the model to guide searches for malicious activity before alerts fire. It is fundamentally different from reactive alert triage because it starts from adversary behavior knowledge rather than waiting for detection systems to trigger.

Explanation: The six-step methodology begins by identifying and prioritizing adversary behaviors from ATT&CK (step 1), followed by developing hypotheses that articulate what malicious activity would look like in the environment (step 2). Hypotheses must be grounded in specific behaviors before data requirements and analytics can be properly shaped.

Explanation: In ATT&CK, Tactics represent the adversary's high-level goal or 'why'—for example, Persistence, Privilege Escalation, or Lateral Movement. Techniques describe 'how' the adversary achieves that goal. Procedures are the specific, observed implementations of a technique. Sub-techniques add granularity below the technique level.

Explanation: ATT&CK Groups pages document specific tracked threat actor groups and map each group to the techniques and software they have been observed using in real intrusions. This is the primary resource for building a group-specific hunting priority list. Navigator can visualize those group layers, but the underlying data lives in the Groups pages.

Explanation: A well-formed hunt hypothesis must be a specific and testable statement that describes observable adversary behavior tied to ATT&CK technique(s). This gives the hunt a clear success criterion: you are either finding evidence of that behavior or ruling it out. Vague hypotheses lead to unfocused hunts; hypotheses based on current alerts are reactive, not proactive.

Explanation: An abstract analytic is a technology-agnostic statement describing what observable data would indicate that a hypothesized adversary behavior occurred. It sits between the hypothesis and the concrete rule implementation, acting as a bridge that captures the detection logic without binding it to a specific tool. This allows the logic to be translated into Splunk SPL, Sigma, EQL, or any other query language later.

Explanation: ATT&CK Data Sources catalog the telemetry types—such as Process Creation, Network Traffic, Windows Registry, or File Modification—that are required to detect a given technique. During the data-requirements step, hunters map their hypothesized techniques to these data sources to determine what must be collected and to identify gaps where required telemetry is missing.

Explanation: A visibility gap occurs when the telemetry required to detect a specific adversary technique is not being collected. In this case, the absence of PowerShell script block logging (Event ID 4104) means the hunter cannot see obfuscated PowerShell content, creating a blind spot for T1059.001 detections. Identifying gaps is step 4 of the six-step methodology.

Explanation: Sysmon Event ID 1 (Process Create) captures rich process creation telemetry including the full command line, parent process, hashes, and user context. It is the primary Sysmon data source for detecting execution techniques in ATT&CK such as T1059 (Command and Scripting Interpreter) sub-techniques. Event ID 3 is Network Connection, Event ID 7 is Image Loaded, and Event ID 11 is File Created.

Explanation: After developing a hypothesis, the next step in the MAD20 methodology is to create an abstract analytic—a technology-agnostic description of what data and patterns would constitute evidence of the hypothesized behavior. This precedes defining concrete data requirements, implementing specific detection logic, and executing the hunt.