Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
We’re excited to announce Tuning, a new utility in the Guided Threat Hunts feature of HUNTER, the industry’s leading library of behavioral hunt packages and the Hunt Management Module, available on the Verity471 cyber intelligence platform.
In 2025, we introduced a Guided Threat Hunts feature called Pivot Queries, a tool that helps threat hunters decide “what do I do next” with large results after executing an initial hunt. A library of Pivot Queries helps hunters investigate potential malicious artifacts returned after executing an initial query from HUNTER’s library of 700+ behavioral hunt packages. Pivot Queries help users capture inputs — such as hostnames, process names, process IDs and more — to generate pivot queries in over 20 supported EDR, XDR, NDR or SIEM tools.
Query Tuning, a powerful new tool within Guided Threat Hunts, complements Pivot Queries by helping threat hunters tune a query based on results of an executed hunt in their unique environment. The tool provides assistance in composing query changes to narrow results, such as by adding exclusion lists and filtering out other noise. This helps improve analyst efficiency and allows teams to focus on high-quality signals, ultimately helping your team build behavioral detections specific to your environment.
What Does Tuning Help Solve?
Threat hunters often begin with a broad approach when seeking to identify malicious or anomalous behaviors in endpoint, network and cloud-related logs. This approach however has the potential to return a large amount of surrounding logs. Tuning helps threat hunters reduce this noise by building exclusion lists based on hunt categories and driving them towards delivering organizational specific behavioral detections. This process all happens as users work through the hunt workflow within HUNTER’s Hunt Management Module.
Tuning embodies guidance from our threat hunt team to assist the user through tuning a query to aggregate or exclude logs returned from the base behavioral hunt. It also helps users tune queries in a consistent, repeatable and reliable manner.
The key benefits of query Tuning include:
- Improved analyst efficiency when aggregating or excluding logs
- Assistance in changing queries to narrow hunt results
- The ability to filter out noise and focus on high-quality signals
- Guidance towards behavioral detections specific to your environment
How Does Tuning Work?
Threat hunters can access the Tuning utility in the Hunt Management Module’s hunt workbench, a workspace that includes an editor for adding documentation, a selected hunt’s contextualized intelligence and existing documentation. The workbench is where users can make adjustments and modifications to the behavioral query logic.
Selecting Tuning guided assistance helps users to compose changes to a query to narrow results and add exclusion lists to filter out noise from results. The tool, for example, helps threat hunters build out their exclusion lists based on hunt categories, such as process creation, registry modification or file events.
Using Tuning in the HUNTER Workbench
Once a hunt is created in the module’s Hunt Template, and a hunt package has been selected, the user will be able to leverage query Tuning and Pivots to validate malicious behaviors they’re searching for in EDR and SIEM tools.
1. Select HUNTER hunt package. In the example below, the user has selected the “PowerShell Encoded Command Execution” hunt package from HUNTER to view and run the base behavioral hunt package in their selected tool.
Figure 1 - Hunt package workbench - “Powershell Encoded Command Execution” hunt package
2. Initial results. In this example, executing the Powershell Encoded Command Execution hunt package in Microsoft Defender returns 15 results that the threat hunter will want to tune and pivot on.
Figure 3. - Microsoft Defender Hunt Package Execution
3. Use Tuning. Selecting the Tuning button, as shown in Figure 4 below, expands the Tuning building feature that helps threat hunters build out their tuning (exclusions, aggregation) list based on the respective hunt package and results. The use can then apply filters based on AND/OR logic or grouping filters based on their desired logic.
Figure 4 - Tuning Builder
4. Tuned out results. After applying the tuning logic, the threat hunter was able to tune out some of the results to help identify interesting artifacts.
Figure 5 - Tuned Defender query
5. Validation: Now that exclusions or aggregations have been applied to the initial base logic and the tuning of the hunt has returned interesting artifacts, the user can use Pivot queries functionality to further investigate the findings.
The threat hunter was able to validate notepad.exe spawning cmd.exe as an abnormal behavior through the process of applying tuning logic and pivoting on interesting artifacts.
Building on HUNTER’s Core Value to Threat Hunters
Tuning enhances the core value of the HUNTER Hunt Management Module, which is to augment and enhance your hunt team’s hunt methodology and workflows to enable consistent, repeatable and reliable processes.
Guided Threat Hunts on HUNTER helps threat hunt programs implement standard operating procedures (SOPs) that support their methodology for structured threat hunting, which can lower the cost of onboarding new threat hunters while making the team more effective. It also furthers Intel 471’s mission to assist threat hunters to perform more accurate, efficient and consistent hunts for advanced threat behaviors that evade traditional detection methods.
HUNTER’s expanding library of pre-built intelligence-driven behavioral threat hunt packages helps teams and individuals perform more efficient, accurate, and consistent threat hunts for behaviors on all major EDR/XDR, NDR, SIEM and data platforms. The Hunt Management Module enables teams to measure hunt success metrics and efficiently produce reports that demonstrate to leadership return on investment of the hunt program.
Guided Threat Hunts is a feature of the HUNTER Hunt Management Module on the Verity471 cyber intelligence platform. For more information or a demo, please contact Intel 471.