Happy 2026: A Gift for Threat Hunters - 12 Weeks of Hunting Tips

As we step into the New Year, the team at ExaTrack wanted to look back at the insights we’ve shared over the past few months. To read them each week follow us on Linkedin ;)

In our daily work, conducting large-scale forensic collections across thousands of endpoints and analyzing complex malware on our Exalyze platform, we encounter patterns that go beyond simple IOCs. We believe that an attacker is, by definition, an anomaly on a system. To help you start the year with a stronger defensive posture, here is a compilation of our last 12 Threat Hunting tips, uniformized and all translated into English. Whether you are investigating Windows, Linux, or Active Directory, these “gold nuggets” are designed to help you find the needle in the haystack.

1. The “Writable Directories” Trap

The Concept: Certain Windows directories are writable by all users, making them perfect for droppers.4

The Hunt: Scan for executables/scripts (.exe, .dll, .ps1, .bat) in these root folders:

The Pro Tip: Use a script to monitor these paths. Even if a file is signed by Microsoft, its presence in these folders is highly suspicious and often linked to DLL side-loading.

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-cybersecurity-soc-activity-7381287821812219904-xzAh

2. Linux: The “Trailing Space” Backdoor

The Concept: Linux is case-sensitive and literal, including whitespace.

The Hunt: Check /etc/passwd and /etc/shells for trailing spaces.

The Trick: An attacker creates a copy of /bin/dash named /usr/sbin/nologin (with a space). They then update the user’s shell in /etc/passwd to match.

Detection: Run cat -A /etc/passwd. If you see nologin $, the space is there. This allows SSH access while appearing to have a “nologin” shell at first glance.

This method was discovered during an incident response involving Perctl : https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/

More on Linkedin : https://www.linkedin.com/posts/clementrouault_perfctl-malware-exploiting-exposed-portainer-activity-7383792079245713408-oS4M

3. Rootkit Hunting via Minidumps

The Concept: Kernel-level malware often causes instability.

The Hunt: Analyze C:\Windows\Minidump for specific Bugchecks.

The Indicators:

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-malwareanalysis-blueteam-activity-7386317132541882368-qDGB

4. Hostnames: The “Stranger” in Your Logs

The Concept: NTLM and VPN logs often record the “Source Workstation Name.”

The Hunt: Search for hostnames that do not follow your corporate naming convention.

The Anomaly: Attackers connecting via VPN often use default computer names (e.g., WIN-XXXX, DESKTOP-XXXX) or tool-specific names like kali or nmap. If SRV-SQL-01 starts receiving requests from DESKTOP-9HF2K, you should investigate for lateral movement.

More on Linkedin : https://www.linkedin.com/posts/clementrouault_threathunting-cybersecurity-soc-activity-7388881770689232896-URYg

5. Fingerprinting via PE Sections

The Concept: Executable sections (.text, .data) tell a story.

The Hunt: Analyze the attributes and names of PE sections.

The Red Flags:

The Pro Tip: Use the combination of section names and sizes as a unique fingerprint to clusterize malware variants across your environment.

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threat-hunting-tip-of-the-day-pe-sections-activity-7391466581379428352-8hwt

6. Mastering Your RATs (Remote Access Tools)

The Concept: Attackers love legitimate tools like AnyDesk, TeamViewer, RustDesk, or Supremo because they are signed and rarely flagged by AV.

The Hunt: Identify every RAT on your SI. The list is longer than you think: https://lolrmm.io/

The Strategy: Any RAT not on your “Authorized List” is a threat. We’ve seen state-sponsored actors use AnyDesk for over a decade to maintain a low-profile backlink. If a RAT appears on only 1% of your machines, it requires immediate contextualization (installation date, user profile, etc.).

More on Linkedin : https://www.linkedin.com/posts/clementrouault_hunting-compromission-%C3%AAtes-vous-bien-activity-7394670471583260672-CW_O

7. The Rhythm of Event Logs

The Concept: Threat hunting is about patterns and baselines.

The Hunt: Calculate the daily baseline for routine events (e.g., AV signature updates).

The Anomaly: If a system usually sees 4 updates/day and suddenly jumps to 5, or if a reporting machine suddenly goes silent, investigate. Attackers leave footprints in the “noise” by triggering routine events at irregular frequencies.

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-dfir-blueteam-activity-7396492807533928449-OP2v

8. The Forensic Gold in Windows Error Reporting (WER)

The Concept: When a process crashes, Windows creates a text report with information about the program and loaded DLL.

The Hunt: Check C:\ProgramData\Microsoft\Windows\WER and C:\Users\<user>\AppData\Local\...\WER.

The Anomaly: Attackers are not perfect; their tools (or exploits) often crash. A spike in IIS crashes or crashes in unrecognized modules can reveal a failed DLL injection or a memory corruption attempt months after the attacker has cleaned their primary logs.

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-dfir-blueteam-activity-7399098234331164672-Qk66

9. ZoomInfo: The Legitimate Stealer

The Concept: Some B2B tools behave exactly like malware. ZoomInfo’s “Contact Contributor” is a prime example.

The Hunt: Look for ZoomInfoContactContributor.exe or processes signed by “Zoom Information Inc.”

The Risk: This tool scrapes Outlook contacts and email subjects to feed its database. It often persists via a registry “RUN” key pointing to a .bat script in AppData. Even “legitimate” software can constitute a massive data leak risk.

More on Linkedin : https://www.linkedin.com/posts/clementrouault_zoominfo-cet-outil-b2b-qui-exfiltre-activity-7401562126709895170-XEml

10. The Curious Case of Missing Prefetch Files

The Concept: Prefetch files (.pf) in C:\Windows\Prefetch log resource usage to speed up application loading.

The Hunt: Cross-reference process creation logs (Sysmon Event ID 1 or Security Event ID 4688) with existing .pf files.

The Anomaly: If a process appears in the logs but has no matching .pf file, someone (or something) likely deleted it. No legitimate process should wipe Prefetch files; this is a classic move by meticulous attackers covering their tracks.

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-cybersecurity-threathunting-activity-7404188224367132672-jwMU

11. RDP Cache: Looking Over the Attacker’s Shoulder

The Concept: Windows stores small image fragments (64x64 pixels) of RDP sessions in .bmc and .bin files to optimize performance.

The Hunt: Collect files from c:\users\USERNAME\appdata\local\microsoft\terminal server client\cache.

The Pro Tip: Use tools like bmc-tools to reconstruct tiles. At ExaTrack, we run OCR (Optical Character Recognition) on these tiles. If our system detects “mimikatz”, “Advanced IP Scanner” or others suspicious text inside an image fragment, it’s an immediate red flag.

More on Linkedin : https://www.linkedin.com/posts/clementrouault_threathunting-cybersecurity-soc-activity-7406994015386218497-Pjxe

12. The “Delayed Admin” Pattern (Active Directory)

The Concept: Monitoring the AdminCount attribute.

The Hunt: AdminCount is set to 1 when an account joins a privileged group (Domain Admins, etc.).

The Anomaly: Look for accounts where AdminCount=1 but the attribute was enabled more than two weeks after the account’s creation.

Why it matters: Legitimate admin accounts are usually provisioned with rights immediately. A delayed activation often signals post-compromise privilege escalation (Golden Ticket, DCSync, or manual group manipulation).

More on Linkedin : https://www.linkedin.com/posts/st%C3%A9fan-le-berre-1aa2b226_threathunting-activity-7411785361342889984-nX3x