{"id":21543,"date":"2026-06-10T12:49:40","date_gmt":"2026-06-10T12:49:40","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=21543"},"modified":"2026-06-10T13:32:10","modified_gmt":"2026-06-10T13:32:10","slug":"threat-hunting-practical-usecases","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/","title":{"rendered":"Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker&nbsp;behavior&nbsp;and writing detections against technique descriptions that were never meant to be operationalized directly.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The challenge is not that analysts lack skill. Most hunting teams are sharp, methodical, and deeply familiar with attacker playbooks. The real friction is structural: the intelligence feeding&nbsp;hunts&nbsp;is often stale, decontextualized, or missing the behavioral granularity needed to write anything more than a broad, noisy detection.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-pullquote has-text-align-left\"><blockquote><p><strong>The core tension<\/strong>\u00a0<\/p><cite>Threat hunting is a high-skill, time-intensive activity that justifies itself by finding what automated systems miss. But when the intelligence inputs are\u00a0low-fidelity, even the most skilled hunters spend\u00a0the majority of\u00a0their time generating work rather than reducing risk.\u00a0<\/cite><\/blockquote><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">MITRE ATT&amp;CK tells you a technique exists. It does not tell you how it behaves in a real attack chain against a real target. That gap between abstract TTP and concrete execution behavior is where many hunts quietly die. IOCs arrive stripped of context: you block an IP, a rotated domain from the same campaign lands in your environment three days later, and sails straight through.\u00a0\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And then there is&nbsp;the&nbsp;false-positive problem. Not a technical inconvenience but a morale and process killer. Every alert that turns out to be Outlook talking to a Microsoft licensing server erodes confidence in the detection pipeline.&nbsp;Over-tuned rules miss real threats; under-tuned rules train analysts to discount the queue.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this article,&nbsp;we&#8217;ll&nbsp;explore how threat intelligence supports core hunting workflows and how ANY.RUN&#8217;s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Threat hunting fails structurally, not skillfully.<\/strong> The bottleneck is intelligence quality. <\/li>\n\n\n\n<li><strong>Behavioral context beats indicators.<\/strong> A single IOC blocked solves nothing if the campaign behind it isn&#8217;t understood. Pivoting from one artifact \u2014 a mutex, a file path, a Suricata tag \u2014 into a full attack chain is what separates hunting from blocklisting. <\/li>\n\n\n\n<li><strong>Hypothesis validation requires real attack data.<\/strong> ATT&amp;CK describes techniques in the abstract. Effective hunting needs to know how a technique behaves in live, active campaigns \u2014 which tools operationalize it, what infrastructure it touches, what artifacts it leaves. <\/li>\n\n\n\n<li><strong>False positives are a strategy problem, not just a noise problem.<\/strong> Every low-fidelity alert that consumes analyst attention is a detection that wasn&#8217;t built right. Validating rules against real samples before deployment is the difference between a detection pipeline and a distraction pipeline. <\/li>\n\n\n\n<li><strong>Intelligence layers serve different operational needs.<\/strong> <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a> drives active investigations; <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a> keep automated defenses current; TI Reports bridge the gap between raw campaign data and detection engineering or executive briefings. <\/li>\n\n\n\n<li><strong>AI-assisted triage is a force multiplier, not a replacement.<\/strong> Tier 1 reports, AI summaries, and <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox<\/a> recommendations don&#8217;t replace analyst judgment \u2014 they eliminate the translation work between analysis output and operational action, freeing analysts for work that actually requires them. <\/li>\n\n\n\n<li><strong>Hunting ROI is measurable \u2014 if you instrument it correctly.<\/strong> Earlier detection, defense calibrated to active threats, and analyst time redirected to genuine risk: each is quantifiable. Programs that cannot demonstrate these outcomes don&#8217;t lack value \u2014 they lack the intelligence infrastructure to produce it consistently.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">1. Hypothesis Validation: Device Code Phishing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: A hunter develops a hypothesis: adversaries may be abusing Microsoft&#8217;s Device Code authentication flow to compromise organizational accounts without triggering MFA. The technique is real, but the team needs evidence it is active now and a way to\u00a0identify\u00a0the behavioral signatures that distinguish attacks from legitimate device authorization.\u00a0<br>\u00a0<br><strong>The struggle<\/strong>: Generic queries against authentication logs\u00a0produce\u00a0enormous volume. Without knowing what a malicious device code flow\u00a0actually looks\u00a0like in practice \u2014 which referrer domains\u00a0initiate\u00a0the redirect, which\u00a0PhaaS\u00a0kits are operationalizing the technique, what the email delivery chain looks like \u2014 the team is\u00a0essentially querying\u00a0blind.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The solution<\/strong>:\u00a0TI Lookup allows the hunter to query the Microsoft device auth endpoint directly and\u00a0immediately\u00a0retrieve sandboxed sessions where the technique is\u00a0observed\u00a0in the wild.\u00a0<br>\u00a0<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522https:\/\/login.microsoftonline.com\/common\/oauth2\/deviceauth?code=*%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">url:&#8221;https:\/\/login.microsoftonline.com\/common\/oauth2\/deviceauth?code=*&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"411\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-1024x411.png\" alt=\"\" class=\"wp-image-21551\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-1024x411.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-300x120.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-768x308.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-270x108.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1-740x297.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_1.png 1352w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analyses found in TI Lookup<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Sessions are tagged automatically:\u00a0<em>Phishing,\u00a0oauth-ms-phish,\u00a0<\/em>and kit-specific tags like<em>\u00a0Kali365\u00a0<\/em>(a\u00a0PhaaS\u00a0platform specializing in Device Code Phishing).\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can view any of the\u00a0analyses\u00a0sessions, for example: <a href=\"https:\/\/app.any.run\/tasks\/fc973b26-7cc8-4253-a313-1b77ff27f04c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/fc973b26-7cc8-4253-a313-1b77ff27f04c\/\u00a0<\/a>\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The hunter can inspect the full referrer chain:\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"204\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-1024x204.png\" alt=\"\" class=\"wp-image-21552\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-1024x204.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-768x153.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-370x74.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-270x54.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2-740x148.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_2.png 1108w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware\u2019s HTTP requests<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In live cases, the redirect to Microsoft&#8217;s legitimate device auth endpoint originates from external domains, including those with unusual TLDs.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-887x1024.png\" alt=\"\" class=\"wp-image-21553\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-887x1024.png 887w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-260x300.png 260w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-768x886.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-370x427.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-270x312.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3-740x854.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_3.png 922w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><figcaption class=\"wp-element-caption\"><em>Redirect from .de domain<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Subsequent\u00a0queries can filter by TLD against the device code URL, giving the team a concrete list of suspicious referring domains to feed into SIEM monitoring or block lists.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522https:\/\/login.microsoftonline.com\/common\/oauth2\/deviceauth%255C%2522%2520and%2520domainName:%255C%2522.de$%255C%2522%2522,%2522dateRange%2522:3%7D\" target=\"_blank\" rel=\"noreferrer noopener\">url:&#8221;https:\/\/login.microsoftonline.com\/common\/oauth2\/deviceauth&#8221; and domainName:&#8221;.de$&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"606\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-1024x606.png\" alt=\"\" class=\"wp-image-21555\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-1024x606.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-300x178.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-768x455.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-270x160.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4-740x438.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_4.png 1056w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Select domains for monitoring in TI Lookup<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For more targeted investigation, the hunter can also query by threat name and file path to retrieve the actual phishing emails (.eml&nbsp;files) used to deliver the&nbsp;initial&nbsp;lure, exposing sender patterns, subject line templates, and infrastructure metadata.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"813\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-1024x813.png\" alt=\"\" class=\"wp-image-21556\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-1024x813.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-300x238.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-768x610.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-370x294.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-270x214.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5-740x587.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_5.png 1318w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Email metadata example<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hypothesis\u00a0validated\u00a0against real, live attack data rather than technique abstractions.\u00a0<\/li>\n\n\n\n<li>Concrete IOCs and behavioral signatures ready for SIEM query development.\u00a0<\/li>\n\n\n\n<li>Email metadata exposed for deeper organizational log correlation.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2. Behavioral Pivots: Tracking a Stealer Family via Mutex&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: A suspicious executable is&nbsp;submitted&nbsp;for analysis and identified as a stealer. The analyst notices a mutex with a hardcoded prefix \u2014 Global\\EVOLUTION \u2014 followed by a randomized suffix. The question is whether this prefix is unique to this malware family and, if so, how widely deployed it is.&nbsp;<br>&nbsp;<br><strong>The struggle<\/strong>: A mutex with a random suffix has no stable IOC value. Standard threat feeds will not carry it. Searching for the full string is guaranteed to miss variants. The behavioral pattern is clearly&nbsp;significant&nbsp;but there is no obvious path from a single sample to campaign-level coverage.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The solution<\/strong>:\u00a0A wildcard query in TI Lookup (<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%22query%22:%22syncObjectName:%5C%22Global%5C%5C%5C%5CEVOLUTION*%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">syncObjectName:&#8221;Global\\\\EVOLUTION*&#8221;<\/a>)\u00a0immediately\u00a0surfaces\u00a0a number of\u00a0additional\u00a0samples sharing the same hardcoded prefix with different randomized tails, confirming the pattern is not incidental but a structural artifact of this malware family.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"559\" height=\"629\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_6.png\" alt=\"\" class=\"wp-image-21559\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_6.png 559w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_6-267x300.png 267w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_6-370x416.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_6-270x304.png 270w\" sizes=\"auto, (max-width: 559px) 100vw, 559px\" \/><figcaption class=\"wp-element-caption\"><em>Malware samples with similar mutexes<\/em>\u00a0<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Cross-referencing the mutex results against file path artifacts reveals that affected systems consistently produce a dump archive at <em>C:\\Users\\admin\\AppData\\Local\\Temp\\evo_[random]\\stolen.zip<\/em> \u2014 a second independent behavioral indicator\u00a0that\u00a0definitely looks\u00a0like a stealer.\u00a0\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-1024x586.png\" alt=\"\" class=\"wp-image-21561\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-2048x1172.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_7-740x423.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>File dropped in malware execution chain<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Running OR and\u00a0AND\u00a0lookup\u00a0combinations of both indicators\u00a0allows\u00a0the hunter to tune coverage:\u00a0OR for maximum reach,\u00a0AND for high-confidence, low-noise detections:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>filePath:&#8221;C:\\Users\\admin\\AppData\\Local\\Temp\\evo_\\stolen.zip&#8221; <strong>OR<\/strong> syncObjectName:&#8221;Global\\EVOLUTION&#8221;<\/li>\n\n\n\n<li>filePath:&#8221;C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Temp\\\\evo_*\\\\stolen.zip&#8221;\u00a0<strong>AND<\/strong>\u00a0syncObjectName:&#8221;Global\\\\EVOLUTION*&#8221;\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Starting from a single mutex observation, the hunter has now built a multi-indicator behavioral profile of an entire malware family.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single behavioral artifact expands into full campaign coverage.\u00a0<\/li>\n\n\n\n<li>Multi-indicator\u00a0detection logic developed and\u00a0validated\u00a0before touching production systems.\u00a0<\/li>\n\n\n\n<li>No reliance on stable IOCs \u2014 detection survives malware updates.\u00a0<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTurn threat hunting into an intelligence-driven process.<br>\nUse ANY.RUN&#8217;s Threat Intelligence <span class=\"highlight\">to validate hypotheses, enrich investigations, and uncover threats faster.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/plans-ti\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat-hunting-practical-usecases&#038;utm_term=100626&#038;utm_content=linktotiplans#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">3. Enrichment: Suspicious Domain in an Inbound Email&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: An email from an unknown sender arrives&nbsp;containing&nbsp;a link to an unfamiliar domain. Standard policy would flag this for review. The analyst needs to&nbsp;determine&nbsp;quickly whether the domain is genuinely malicious or simply unknown, and if malicious, what the full attack chain looks like.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The struggle<\/strong>: WHOIS data&nbsp;shows&nbsp;the domain is recently registered. Passive DNS shows&nbsp;limited&nbsp;history. Reputation feeds return no verdict. The analyst has a suspicious&nbsp;domain&nbsp;but no behavioral context \u2014 no sense of what the domain delivers, what it steals, or what infrastructure it connects to.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The solution<\/strong>: The domain search in TI Lookup returns sandbox sessions where the domain has been analyzed.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522miracleplayssystems.com%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;miracleplayssystems.com&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"366\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-1024x366.png\" alt=\"\" class=\"wp-image-21562\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-1024x366.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-300x107.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-768x274.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-370x132.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-270x96.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8-740x264.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_8.png 1246w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox sessions with the suspicious domain<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The hunter&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/35589fe4-bf01-4842-9d7a-2314e981292b\/\" target=\"_blank\" rel=\"noreferrer noopener\">opens one<\/a>&nbsp;and&nbsp;immediately&nbsp;sees a Microsoft 365 login page clone hosted on the suspicious domain, automatically tagged by ANY.RUN.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-1024x484.png\" alt=\"\" class=\"wp-image-21564\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-1024x484.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-768x363.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-1536x726.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-2048x968.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-270x128.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_9-740x350.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware sample detonated in the sandbox\u00a0<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Suricata network threat detections reveal the specific phishing kit \u2014\u00a0FlowerStorm.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"191\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-1024x191.png\" alt=\"\" class=\"wp-image-21565\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-1024x191.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-300x56.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-768x144.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-1536x287.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-370x69.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10-740x138.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_10.png 1766w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>FlowerStorm\u00a0phishkit\u00a0detected<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The rule details expose the exfiltration endpoint:\u00a0\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"646\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-1024x646.png\" alt=\"\" class=\"wp-image-21566\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-1024x646.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-300x189.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-768x484.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-370x233.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-270x170.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11-740x466.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_11.png 1396w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Data exfiltration endpoint<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP tab features\u00a0a separate domain to which stolen credentials are posted:\u00a0\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-1024x374.png\" alt=\"\" class=\"wp-image-21569\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-1024x374.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-300x110.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-768x281.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-270x99.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12-740x270.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_12.png 1390w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The HTTP traffic view makes the data flow explicit: M365 credentials\u00a0submitted\u00a0to the fake login page are\u00a0forwarded\u00a0to infrastructure the attacker controls, not to any Microsoft domain.\u00a0\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-1024x242.png\" alt=\"\" class=\"wp-image-21571\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-1024x242.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-768x182.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-370x88.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13-740x175.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_13.png 1336w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>User\u00a0credentials sent to a phishing domain<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This gives the analyst not just a&nbsp;verdict&nbsp;but a full attack chain \u2014 delivery domain, phishing kit identity, exfiltration endpoint \u2014 all from a single lookup.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unknown domain enriched with full attack chain in minutes.\u00a0<\/li>\n\n\n\n<li>Exfiltration infrastructure\u00a0identified\u00a0and added to block lists proactively.\u00a0<\/li>\n\n\n\n<li>Phishing kit attribution enables broader campaign hunting.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Expansion:&nbsp;LOLBin&nbsp;Abuse and Campaign Attribution&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: An alert\u00a0fires: MSBuild.exe \u2014 a standard Microsoft .NET build\u00a0component\u00a0\u2014 is\u00a0establishing\u00a0a network connection to an unknown IP on a non-standard port.\u00a0This is a textbook living-off-the-land technique, but the specific context (which campaign, which malware family, how widespread) is unknown.\u00a0<br>\u00a0<br><strong>The struggle<\/strong>: MSBuild.exe connecting outbound is not inherently malicious; it is used legitimately in CI\/CD pipelines. The challenge is distinguishing targeted abuse from normal build activity and understanding whether the destination IP is part of a broader campaign or an isolated incident.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The solution<\/strong>:&nbsp;Combining the destination IP with the MSBuild.exe command-line pattern in a TI Lookup query surfaces sessions where the same combination has been&nbsp;observed.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIP:%255C%2522212.34.141.103%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CWindows%255C%255C%255C%255CMicrosoft.NET%255C%255C%255C%255CFramework64%255C%255C%255C%255Cv*%255C%255C%255C%255CMSBuild.exe%255C%2522%2522,%2522dateRange%2522:90%7D\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIP:&#8221;212.34.141.103&#8243; and commandLine:&#8221;C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v*\\\\MSBuild.exe&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"243\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-1024x243.png\" alt=\"\" class=\"wp-image-21574\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-1024x243.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-768x182.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-1536x365.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-2048x486.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-370x88.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_14-740x176.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox sessions with suspicious activity<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Opening a\u00a0<a href=\"https:\/\/app.any.run\/tasks\/f1d77751-0c64-4f55-a936-f70042b0b547\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">representative session<\/a>\u00a0shows\u00a0MSBuild.exe\u00a0establishing\u00a0a C2 connection and exfiltrating host reconnaissance data\u00a0\u2014 CPU, OS version, running processes:\u00a0\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"79\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-1024x79.png\" alt=\"\" class=\"wp-image-21575\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-1024x79.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-300x23.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-768x59.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-1536x119.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-370x29.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-270x21.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15-740x57.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_15.png 1760w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-1024x662.png\" alt=\"\" class=\"wp-image-21576\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-1024x662.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-300x194.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-768x497.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-370x239.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-270x175.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16-740x479.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_16.png 1302w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious activity in network stream<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The Processes tab in the sandbox shows what user data gets exfiltrated:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"813\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-813x1024.png\" alt=\"\" class=\"wp-image-21577\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-813x1024.png 813w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-238x300.png 238w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-768x967.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-370x466.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-270x340.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17-740x932.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_17.png 1066w\" sizes=\"auto, (max-width: 813px) 100vw, 813px\" \/><figcaption class=\"wp-element-caption\"><em>Malware stealing user credentials<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A vendor-specific detection tag (rmrlx) links this activity to a named malware family:\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522rmrlx%255C%2522%2522,%2522dateRange%2522:90%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;rmrlx&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"814\" height=\"454\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18.png\" alt=\"\" class=\"wp-image-21578\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18.png 814w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_18-740x413.png 740w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\" \/><figcaption class=\"wp-element-caption\"><em>Threat description by malware tag lookup<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Pivoting on that tag reveals associated infrastructure across multiple IP addresses and exposes the threat actor group responsible \u2014 Colombian Smugglers \u2014 which uses SVG smuggling as a delivery mechanism and\u00a0<a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7441841298115989505\/\" target=\"_blank\" rel=\"noreferrer noopener\">has evolved from targeting Colombian organizations to targeting US and European companies<\/a>. The hunter can now see the full threat actor profile:\u00a0initial\u00a0delivery technique (SVG smuggling), malware families used (vjw0rm, quasar,\u00a0remcos,\u00a0xworm,\u00a0rmrlx), geographic targeting, and infrastructure overlap with adjacent groups like\u00a0BlindEagle.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522colombian-smugglers%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;colombian-smugglers&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-1024x632.png\" alt=\"\" class=\"wp-image-21579\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-1024x632.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-768x474.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-270x167.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19-740x457.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_19.png 1253w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware samples tagged as Colombian Smugglers attacks<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Use this TI Lookup request to find sandbox analyses exposing SVG smuggling technique:&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522colombian-smugglers%255C%2522%2520and%2520filePath:%255C%2522.svg$%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;colombian-smugglers&#8221; and filePath:&#8221;.svg$&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"638\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-1024x638.png\" alt=\"\" class=\"wp-image-21580\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-1024x638.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-300x187.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-768x479.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-370x231.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-270x168.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20-740x461.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_20.png 1251w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware samples with SVG smuggling<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single alert pivots into full threat actor profile and campaign map.\u00a0<\/li>\n\n\n\n<li>Infrastructure correlation\u00a0surfaces\u00a0additional\u00a0C2 endpoints for blocking.\u00a0<\/li>\n\n\n\n<li>Geographic and targeting intelligence\u00a0enables\u00a0prioritized defensive response.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. False Positive Validation: Hunting Rule Noise Reduction&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: ANY.RUN&#8217;s&nbsp;hunting rules include a signature that fires when a Windows PC hostname is&nbsp;observed&nbsp;being transmitted in network traffic \u2014 a behavior common to stealers and RATs that use hostname as a victim identifier.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522HUNTING%2520%5BANY.RUN%5D%2520Windows%2520PC%2520hostname%2520observed%255C%2522%2522,%2522dateRange%2522:7%7D\" target=\"_blank\" rel=\"noreferrer noopener\">suricataMessage:&#8221;HUNTING [ANY.RUN] Windows PC hostname observed&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-1024x546.png\" alt=\"\" class=\"wp-image-21581\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-1024x546.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-768x409.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21-740x394.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_21.png 1259w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware samples found by Suricata rule<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The rule catches real threats, but the analyst needs to verify that every hit is genuinely malicious before adding it to production detection.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The struggle<\/strong>: Hunting rules cast wide nets by design. A rule targeting hostname exfiltration will fire on legitimate software that also transmits device identifiers. Without behavioral context, distinguishing malicious exfiltration from legitimate telemetry requires manual investigation of every hit.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The solution:\u00a0Let\u2019s\u00a0view one of the found sandbox analyses:\u00a0<a href=\"https:\/\/app.any.run\/tasks\/56e01444-87a2-4cf4-874a-41e56ce60221\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/56e01444-87a2-4cf4-874a-41e56ce60221\/<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"695\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-1024x695.png\" alt=\"\" class=\"wp-image-21583\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-1024x695.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-768x521.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-1536x1042.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-370x251.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22-740x502.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_22.png 1774w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing email in sandbox analysis<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The analyst sees the Suricata alert firing on Outlook.exe,&nbsp;but the destination is&nbsp;licensing.m365.svc.cloud.microsoft, a legitimate Microsoft licensing endpoint.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"738\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-1024x738.png\" alt=\"\" class=\"wp-image-21585\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-1024x738.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-300x216.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-768x554.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-370x267.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-270x195.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23-740x533.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_23.png 1390w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Legitimate Microsoft domain in threat detection<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The HTTP details confirm the behavior: Outlook is sending device and license metadata as part of a standard Office perpetual license renewal (renewperpetuallicense), and the server responds with a 200 OK confirming the HomeBusiness2021Retail license status. This is unambiguously legitimate. The analyst documents this as a known false-positive pattern and adds an exclusion for Microsoft licensing endpoints \u2014 keeping the rule sharp without discarding it.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact<\/strong>:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>False positive identified and documented before reaching production.\u00a0<\/li>\n\n\n\n<li>Detection logic refined without reducing coverage of genuine threats.\u00a0<\/li>\n\n\n\n<li>Analyst time focused on confirmed malicious activity.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Detection Engineering: YARA Rule Development and Validation&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scenario<\/strong>: During stealer sample collection, an analyst\u00a0encounters\u00a0<a href=\"https:\/\/app.any.run\/tasks\/32872c5b-dc9b-4713-a3fe-f4db113e99e4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">a .NET executable<\/a>\u00a0that drops a zip archive named with a consistent pattern: Unix-[HOSTNAME]-[ID].zip. The behavioral artifact is\u00a0interesting\u00a0but the analyst wants to build a durable, validated detection rule, not just add a file path indicator that will break when the malware author changes the naming convention.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The struggle<\/strong>: Writing YARA rules against behavioral artifacts requires understanding what strings are genuinely hardcoded into the binary versus what is generated at runtime. Testing rules against a small sample set risks both false positives from broad string matches and false negatives from a sample set too small to&nbsp;represent&nbsp;the full malware family.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The solution<\/strong>: Static analysis of the .NET binary in Detect It Easy reveals human-readable strings embedded in the assembly \u2014 a common characteristic of .NET malware.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"752\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-1024x752.png\" alt=\"\" class=\"wp-image-21587\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-1024x752.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-300x220.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-768x564.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-370x272.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-270x198.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-740x544.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_24.png 1489w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Static analysis of malware sample<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Filtering for strings&nbsp;containing&nbsp;\u201cUnix&#8221;&nbsp;surfaces several hardcoded identifiers&nbsp;specific for this malware:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unix Stealer Log\u00a0<\/li>\n\n\n\n<li>UnixStealer\u00a0<\/li>\n\n\n\n<li>UnixStealerIV!@#\u00a0<\/li>\n\n\n\n<li>UnixStealer2024Key!\u00a0<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"403\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-1024x403.png\" alt=\"\" class=\"wp-image-21589\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-1024x403.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-300x118.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-768x302.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-1536x604.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-2048x805.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-370x145.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-270x106.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_25-740x291.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Searching for *unix* strings<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A YARA rule built around these strings uses wide matching for Unicode-encoded strings and&nbsp;fullword&nbsp;to minimize false positives.&nbsp;&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rule\u00a0UnixStealer\u00a0{\u00a0\n\n\u00a0\u00a0\u00a0\u00a0meta:\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0description\u00a0= \"Detects\u00a0UnixStealer\u00a0malware\"\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0date\u00a0= \"2025-12-18\"\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0author\u00a0= \"ANY.RUN:A.Adhikara\"\u00a0\n\n\u00a0\u00a0\u00a0\u00a0strings:\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $x1 = \"Unix\u00a0Stealer\u00a0Log\"\u00a0fullword\u00a0wide\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $x2 = \"UnixStealer\"\u00a0fullword\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $x3 = \"UnixStealerIV!@#\"\u00a0fullword\u00a0wide\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $x4 = \"UnixStealer2024Key\"\u00a0fullword\u00a0wide\u00a0\n\n\u00a0\u00a0\u00a0\u00a0condition:\u00a0\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uint16(0) == 0x5A4D\u00a0and\u00a0any\u00a0of\u00a0($x*)\u00a0\n\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Running the rule through&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/yara\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup&#8217;s&nbsp;YARA Search<\/a>&nbsp;validates&nbsp;it against millions of real malware samples \u2014 returning 17 matching samples with no unrelated hits.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-1024x622.png\" alt=\"\" class=\"wp-image-21593\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-1536x934.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-2048x1245.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_26-740x450.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware samples found by the YARA rule<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Noticing that the year is hardcoded in one string, the analyst refines it to a regex pattern (\/UnixStealer20\\d{2}Key\/ wide) to ensure the rule covers future builds where the author updates the year.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-1024x618.png\" alt=\"\" class=\"wp-image-21594\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-1024x618.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-768x463.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-1536x927.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-2048x1236.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_27-740x447.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Optimized YARA rule<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Re-validation against the corpus confirms the refined rule catches the same 17 samples and introduces no new noise.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Impact:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>YARA rule\u00a0validated\u00a0against millions of real samples before deployment.\u00a0<\/li>\n\n\n\n<li>Rule designed to survive malware version updates through regex generalization.\u00a0<\/li>\n\n\n\n<li>Detection shipped with high confidence \u2014 no post-deployment tuning\u00a0required.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How Threat Intelligence Feeds Support Threat Hunting&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">WhileTI&nbsp;&nbsp;Lookup excels&nbsp;at&nbsp;interactive&nbsp;investigations,&nbsp;Threat Intelligence Feeds help operationalize hunting at scale.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Threat Intelligence Feeds can be integrated directly into SIEM, EDR, XDR, SOAR, firewalls, and other security platforms, providing continuously updated indicators and threat context.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>For threat hunters, this supports several key workflows:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prioritizing investigations involving known malicious infrastructure.\u00a0<\/li>\n\n\n\n<li>Correlating internal telemetry with active attacker infrastructure.\u00a0<\/li>\n\n\n\n<li>Identifying\u00a0emerging campaigns before internal detections trigger.\u00a0<\/li>\n\n\n\n<li>Automating enrichment during hunts.\u00a0<\/li>\n\n\n\n<li>Reducing manual IOC collection and maintenance.\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">By continuously injecting fresh intelligence into security tooling, feeds allow hunting teams to focus on analysis rather than data gathering.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Accelerating Hunts with Sandbox Intelligence&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN\u2019s Interactive Sandbox&nbsp;provides&nbsp;additional capabilities that reduce investigation time and improve analyst productivity.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tier 1 Reports&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Tier 1 Reports automatically summarize malware behavior in analyst-friendly language, making it easier for junior and mid-level analysts to understand threats without spending&nbsp;significant time&nbsp;reviewing every artifact manually.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This helps SOC teams rapidly assess suspicious files and decide whether deeper hunting activities are necessary.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AI Summary&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">AI Summary condenses complex malware executions into concise narratives, highlighting the most important findings, suspicious behaviors, and attack stages. Hunters can quickly understand what happened during execution before diving into technical details.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AI Recommendations&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">AI Recommendations suggest potential next steps for investigation, including relevant artifacts, indicators, and behaviors worth examining further.&nbsp;This helps analysts&nbsp;identify&nbsp;additional&nbsp;hunting opportunities and reduces the likelihood of missing important evidence.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"893\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_28.png\" alt=\"\" class=\"wp-image-21596\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_28.png 580w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_28-195x300.png 195w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_28-370x570.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/hunt_28-270x416.png 270w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><figcaption class=\"wp-element-caption\"><em>Tier 1 report with AI summary and recommendations<\/em><\/figcaption><\/figure>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nBuild a <span class=\"highlight\">faster, more scalable hunting program<\/span> with ANY.RUN Threat Intelligence.<br>Equip analysts with actionable context and leaders with measurable security outcomes.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/plans-ti\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat-hunting-practical-usecases&#038;utm_term=100626&#038;utm_content=linktotiplans#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Why Threat Hunting Matters to the Business&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Threat hunting is often discussed as a purely technical discipline, but its ultimate purpose is business protection. Organizations invest in hunting because reactive security alone is no longer sufficient. Modern attackers&nbsp;frequently&nbsp;evade automated detections,&nbsp;abuse&nbsp;legitimate tools, and remain hidden for extended periods.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, threat hunting itself introduces operational challenges:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Significant analyst time requirements.\u00a0<\/li>\n\n\n\n<li>Skill shortages.\u00a0<\/li>\n\n\n\n<li>Investigation\u00a0fatigue.\u00a0<\/li>\n\n\n\n<li>High volumes of telemetry.\u00a0<\/li>\n\n\n\n<li>Difficulty prioritizing hunting activities.\u00a0<\/li>\n\n\n\n<li>Challenges\u00a0demonstrating\u00a0measurable business value.\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Without proper intelligence support, threat hunting can become expensive and inefficient. Threat intelligence helps address these challenges by reducing investigation time, improving prioritization, increasing analyst productivity, and enabling teams to focus on the threats that matter most to the business.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result is faster threat discovery, reduced dwell time, lower incident response costs, and improved resilience against advanced attacks.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For MSSPs, intelligence-driven hunting also enables more scalable operations, allowing analysts to investigate more environments without proportionally increasing staffing requirements.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Threat hunting is no longer about manually searching through massive volumes of logs and hoping to uncover something suspicious.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Successful hunting depends on context.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Threat intelligence provides that context by connecting indicators, behaviors, infrastructure, malware families, campaigns, and threat actors into a coherent picture. It transforms hunting from a reactive research exercise into a focused,&nbsp;intelligence-driven process.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Threat Intelligence Lookup, Threat Intelligence Feeds, Threat Intelligence Reports, YARA Search, and AI-assisted analysis capabilities, SOC teams can&nbsp;validate&nbsp;hypotheses, enrich investigations, expand discoveries, improve detections, and reduce time spent on manual research.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result is a threat hunting program that is faster, more scalable, and more closely aligned with both security and business&nbsp;objectives.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive malware analysis and\u00a0threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more\u00a0confident security decisions.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With its cloud-based\u00a0<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive\u00a0Sandbox<\/a>, security teams can safely analyze suspicious files, links, and emails in real time,\u00a0observe\u00a0malicious behavior, and receive\u00a0clear evidence\u00a0for response without\u00a0maintaining\u00a0complex in-house infrastructure.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN\u2019s\u00a0<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a>\u00a0solutions also help organizations uncover threat\u00a0context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale.\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Scale your SOC with faster threat validation \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1781093239666\"><strong class=\"schema-faq-question\">What is threat hunting in a SOC?<\/strong> <p class=\"schema-faq-answer\">Threat hunting is a proactive security practice where analysts search for hidden threats, attacker activity, or signs of compromise that may not trigger traditional security alerts.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093260809\"><strong class=\"schema-faq-question\">How is threat hunting different from incident response?<\/strong> <p class=\"schema-faq-answer\">Incident response starts after a security event is detected. Threat hunting begins before an alert exists and focuses on discovering threats that may otherwise remain unnoticed.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093273138\"><strong class=\"schema-faq-question\">Why is threat intelligence important for threat hunting?<\/strong> <p class=\"schema-faq-answer\">Threat intelligence provides context about attackers, malware, infrastructure, and campaigns, helping analysts prioritize investigations and validate findings faster.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093284243\"><strong class=\"schema-faq-question\">What hunting workflows benefit most from threat intelligence?<\/strong> <p class=\"schema-faq-answer\">Hypothesis validation, behavioral hunting, threat enrichment, investigation expansion, false-positive analysis, and detection engineering all benefit significantly from threat intelligence.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093297322\"><strong class=\"schema-faq-question\">How do threat intelligence feeds support hunters?<\/strong> <p class=\"schema-faq-answer\">Threat intelligence feeds continuously provide fresh indicators and context that can be integrated into SIEM, EDR, SOAR, XDR, and other security platforms for automated enrichment and prioritization.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093308730\"><strong class=\"schema-faq-question\">Can threat intelligence help reduce false positives?<\/strong> <p class=\"schema-faq-answer\">Yes. Intelligence provides historical and behavioral context that helps analysts quickly determine whether suspicious activity is malicious or legitimate.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1781093318603\"><strong class=\"schema-faq-question\">How do AI-powered investigation features help threat hunters?<\/strong> <p class=\"schema-faq-answer\">AI summaries, recommendations, and analyst reports help hunters understand threats faster, identify relevant artifacts, and reduce time spent on manual investigation.<\/p> <\/div> <\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker&nbsp;behavior&nbsp;and writing detections against technique descriptions that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":21545,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[57,10,40,104,105],"class_list":["post-21543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-behavior","tag-threat-hunting","tag-yara-rules"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intelligence-Driven Threat Hunting<\/title>\n<meta name=\"description\" content=\"Learn how threat intelligence helps SOC teams validate hypotheses, enrich hunts, reduce noise, and find threats faster.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss\",\"datePublished\":\"2026-06-10T12:49:40+00:00\",\"dateModified\":\"2026-06-10T13:32:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/\"},\"wordCount\":3452,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Threat-Hunting-Playbook-scaled.png\",\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware behavior\",\"Threat hunting\",\"YARA rules\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/\",\"name\":\"Intelligence-Driven Threat Hunting\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Threat-Hunting-Playbook-scaled.png\",\"datePublished\":\"2026-06-10T12:49:40+00:00\",\"dateModified\":\"2026-06-10T13:32:10+00:00\",\"description\":\"Learn how threat intelligence helps SOC teams validate hypotheses, enrich hunts, reduce noise, and find threats faster.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093239666\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093260809\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093273138\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093284243\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093297322\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093308730\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093318603\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Threat-Hunting-Playbook-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Threat-Hunting-Playbook-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"Threat Hunting Use Cases\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/lifehacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/author\\\/a-bespalova\\\/\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093239666\",\"position\":1,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093239666\",\"name\":\"What is threat hunting in a SOC?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Threat hunting is a proactive security practice where analysts search for hidden threats, attacker activity, or signs of compromise that may not trigger traditional security alerts.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093260809\",\"position\":2,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093260809\",\"name\":\"How is threat hunting different from incident response?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Incident response starts after a security event is detected. Threat hunting begins before an alert exists and focuses on discovering threats that may otherwise remain unnoticed.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093273138\",\"position\":3,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093273138\",\"name\":\"Why is threat intelligence important for threat hunting?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Threat intelligence provides context about attackers, malware, infrastructure, and campaigns, helping analysts prioritize investigations and validate findings faster.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093284243\",\"position\":4,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093284243\",\"name\":\"What hunting workflows benefit most from threat intelligence?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Hypothesis validation, behavioral hunting, threat enrichment, investigation expansion, false-positive analysis, and detection engineering all benefit significantly from threat intelligence.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093297322\",\"position\":5,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093297322\",\"name\":\"How do threat intelligence feeds support hunters?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Threat intelligence feeds continuously provide fresh indicators and context that can be integrated into SIEM, EDR, SOAR, XDR, and other security platforms for automated enrichment and prioritization.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093308730\",\"position\":6,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093308730\",\"name\":\"Can threat intelligence help reduce false positives?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Intelligence provides historical and behavioral context that helps analysts quickly determine whether suspicious activity is malicious or legitimate.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093318603\",\"position\":7,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/threat-hunting-practical-usecases\\\/#faq-question-1781093318603\",\"name\":\"How do AI-powered investigation features help threat hunters?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"AI summaries, recommendations, and analyst reports help hunters understand threats faster, identify relevant artifacts, and reduce time spent on manual investigation.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intelligence-Driven Threat Hunting","description":"Learn how threat intelligence helps SOC teams validate hypotheses, enrich hunts, reduce noise, and find threats faster.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss","datePublished":"2026-06-10T12:49:40+00:00","dateModified":"2026-06-10T13:32:10+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/"},"wordCount":3452,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Threat-Hunting-Playbook-scaled.png","keywords":["ANYRUN","cybersecurity","malware behavior","Threat hunting","YARA rules"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/","url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/","name":"Intelligence-Driven Threat Hunting","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Threat-Hunting-Playbook-scaled.png","datePublished":"2026-06-10T12:49:40+00:00","dateModified":"2026-06-10T13:32:10+00:00","description":"Learn how threat intelligence helps SOC teams validate hypotheses, enrich hunts, reduce noise, and find threats faster.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093239666"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093260809"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093273138"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093284243"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093297322"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093308730"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093318603"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Threat-Hunting-Playbook-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Threat-Hunting-Playbook-scaled.png","width":2560,"height":1243,"caption":"Threat Hunting Use Cases"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4a921d1fbcf45a0476667c89b7999bc2bb3c028b518acc569da69c8797e53a84?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093239666","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093239666","name":"What is threat hunting in a SOC?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Threat hunting is a proactive security practice where analysts search for hidden threats, attacker activity, or signs of compromise that may not trigger traditional security alerts.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093260809","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093260809","name":"How is threat hunting different from incident response?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Incident response starts after a security event is detected. Threat hunting begins before an alert exists and focuses on discovering threats that may otherwise remain unnoticed.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093273138","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093273138","name":"Why is threat intelligence important for threat hunting?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Threat intelligence provides context about attackers, malware, infrastructure, and campaigns, helping analysts prioritize investigations and validate findings faster.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093284243","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093284243","name":"What hunting workflows benefit most from threat intelligence?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Hypothesis validation, behavioral hunting, threat enrichment, investigation expansion, false-positive analysis, and detection engineering all benefit significantly from threat intelligence.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093297322","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093297322","name":"How do threat intelligence feeds support hunters?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Threat intelligence feeds continuously provide fresh indicators and context that can be integrated into SIEM, EDR, SOAR, XDR, and other security platforms for automated enrichment and prioritization.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093308730","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093308730","name":"Can threat intelligence help reduce false positives?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes. Intelligence provides historical and behavioral context that helps analysts quickly determine whether suspicious activity is malicious or legitimate.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093318603","position":7,"url":"https:\/\/any.run\/cybersecurity-blog\/threat-hunting-practical-usecases\/#faq-question-1781093318603","name":"How do AI-powered investigation features help threat hunters?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"AI summaries, recommendations, and analyst reports help hunters understand threats faster, identify relevant artifacts, and reduce time spent on manual investigation.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=21543"}],"version-history":[{"count":20,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21543\/revisions"}],"predecessor-version":[{"id":21613,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21543\/revisions\/21613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/21545"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=21543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=21543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=21543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}