SkillAgentSearch skills...

Threat Hunting MCP Server

A minimal, modular MCP server that equips your AI with practical capabilities for real-world threat hunting workflows.

GenerateConvertImprove

Install / Use

/learn @THORCollective/Threat Hunting MCP Server
About this skill

Quality Score

0/100

Supported Platforms

Claude Code
Cursor

README

Threat Hunting MCP Server

A next-generation Model Context Protocol (MCP) server that hunts for behaviors, not indicators. Built on the philosophy that effective threat hunting focuses on adversary Tactics, Techniques, and Procedures (TTPs) at the top of the Pyramid of Pain—the behaviors that are hardest for attackers to change.

Philosophy: Hunt Behaviors, Not Indicators

This MCP server is designed around a core principle from the Pyramid of Pain:

                            ▲
                           ╱ ╲
                          ╱   ╲ 🎯 TOUGH
                         ╱ TTPs╲ ← WE FOCUS HERE
                        ╱———————╲
                       ╱         ╲
                      ╱ 🛠️  Tools ╲
                     ╱—————————————╲
                    ╱               ╲
                   ╱ 📊 Host/Network ╲
                  ╱———————————————————╲
                 ╱                     ╲
                ╱  🌐 Domain Names      ╲
               ╱—————————————————————————╲
              ╱                           ╲
             ╱     🔢 IP Addresses         ╲
            ╱———————————————————————————————╲
           ╱                                 ╲
          ╱       #️⃣  Hash Values             ╲
         ╱—————————————————————————————————————╲

Why behavioral hunting?

  • Hash values → Adversaries change in seconds
  • IP addresses → Adversaries change in minutes
  • Domain names → Adversaries change in hours
  • Network/Host artifacts → Adversaries change in days
  • Tools → Adversaries change in weeks
  • TTPs (Behaviors) → Adversaries change in months/years ✅ Hunt for these!

When you hunt for how adversaries behave rather than what specific indicators they use, you create durable detections that survive indicator rotation and force adversaries to fundamentally change their operations.

Features

Behavioral Hunting Focus

  • TTP-First Approach: All hunts prioritize behavioral patterns over atomic indicators
  • MITRE ATT&CK Integration: Deep integration with technique-level behavioral analytics
  • Behavior Pattern Library: Pre-built detection logic for common adversary behaviors
  • Anti-Evasion Design: Hunt for behaviors that persist across tool/infrastructure changes

Core Hunting Frameworks

  • PEAK Methodology: Prepare, Execute, Act with Knowledge - state-of-the-art framework
  • SQRRL Framework: Hunting Maturity Model (HMM0-HMM4) progression
  • TaHiTI Framework ⭐ NEW: Targeted Hunting integrating Threat Intelligence (3 phases, 6 steps)
  • Intelligence-Driven: Hypothesis-driven hunting using behavioral threat intelligence

Advanced Cognitive Capabilities ⭐ NEW

  • Bias Detection & Mitigation: Identifies confirmation, anchoring, and availability biases
  • Competing Hypotheses Generation: Analysis of Competing Hypotheses (ACH) methodology
  • Confidence Scoring: Multi-factor assessment prioritizing TTP-based detections
  • Hunt Stopping Criteria: Prevents tunnel vision with objective completion metrics
  • Expert Pattern Recognition: Built-in behavioral heuristics from elite threat hunters (88.3% accuracy)

Graph-Based Threat Detection ⭐ NEW

  • Attack Path Analysis: Identifies critical paths from initial compromise to crown jewels
  • Living-off-the-Land Detection: Behavioral detection of LOLBin abuse
  • Pivot Point Identification: Betweenness centrality analysis for key attack nodes
  • Provenance Tracking: Complete data lineage and ancestry chains
  • Multi-Stage Attack Correlation: Reveals patterns invisible in isolation

Deception Technology Integration ⭐ NEW

  • Honeytoken Deployment: Fake AWS keys, passwords, SSH keys, API tokens
  • Strategic Placement: Browser history, .env files, config files, memory dumps
  • Decoy Systems: Indistinguishable fake servers, workstations, databases
  • Canary Files: Executive documents, credentials, source code with embedded beacons
  • High-Confidence Detection: 95-99% confidence with <1% false positive rate

Community Knowledge Base ⭐ NEW

  • HEARTH Integration: Access 50+ community-curated threat hunting hypotheses
  • Hypothesis-Driven Hunts (Flames): Real-world attack scenarios from practitioners
  • Baseline Hunts (Embers): Environmental baselining and exploratory analysis
  • Model-Assisted Hunts (Alchemy): ML and algorithmic detection approaches
  • AI-Powered Recommendations: Personalized hunt suggestions for your environment
  • Tactic Coverage Analysis: Identify gaps across MITRE ATT&CK tactics
  • Incident-Based Suggestions: Get relevant hunts based on incident descriptions

Traditional Capabilities

  • Natural Language Processing: Convert behavioral hunt requests into executable queries
  • Atlassian Integration: Confluence and Jira for knowledge management
  • Splunk Integration: TTP-focused hunting queries using Splunk SDK
  • MITRE ATT&CK Framework: Comprehensive technique and sub-technique mapping
  • Security Controls: Authentication, encryption, audit logging, rate limiting
  • Caching & Performance: Redis-based caching for optimal performance

Behavioral Hunting Examples

What We Hunt For (Top of Pyramid)

✅ Good: Behavioral Patterns (TTPs)

  • Process injection techniques (T1055.*) - behavior persists across tools
  • LSASS memory access patterns - fundamental credential theft behavior
  • Lateral movement via remote services - core post-compromise behavior
  • Living-off-the-Land binaries (LOLBins) - detection-evasion behavior
  • Parent-child process anomalies - execution pattern behaviors
  • Kerberoasting patterns - Active Directory attack behaviors

❌ Avoid: Atomic Indicators (Easy to Change)

  • Specific malware hashes - trivial to modify
  • Known-bad IP addresses - adversaries rotate rapidly
  • C2 domain names - disposable infrastructure
  • Specific file paths - easily changed

Behavioral Hunt Examples

Example 1: Credential Access Behavior

Hunt for: Any process accessing LSASS memory (T1003.001)
Why: This behavior is required for credential theft, regardless of the tool
Tools that use it: Mimikatz, ProcDump, custom malware
Detection persists: Even when tools change

Example 2: Lateral Movement Behavior

Hunt for: Remote execution patterns via WMI/DCOM/SMB (T1021.*)
Why: Fundamental behavior for spreading through networks
Tools that use it: PsExec, Impacket, WMIC, custom tools
Detection persists: Even with infrastructure/tool rotation

Example 3: Defense Evasion Behavior

Hunt for: Process injection patterns (T1055.*)
Why: Core evasion technique requiring specific OS API calls
Tools that use it: Cobalt Strike, Metasploit, custom loaders
Detection persists: API call patterns remain consistent

Getting Started with Behavioral Hunting

New to behavioral hunting? Start with these resources:

  1. Quick Reference Card - One-page behavioral hunting cheat sheet
  2. Behavioral Hunting Guide - Complete guide to hunting behaviors vs indicators
  3. PEAK Hunt Example - Complete example hunt report using PEAK Framework
  4. HEARTH Community Hunts - 50+ real-world behavioral hunt hypotheses
  5. PEAK Template - Official PEAK Framework template from THOR Collective

Quick Behavioral Hunt Examples

Try these natural language queries focused on behaviors:

# Credential Access Behaviors
"Hunt for any process accessing LSASS memory (T1003.001)"
"Find credential dumping patterns regardless of tool used"

# Lateral Movement Behaviors
"Detect lateral movement via remote execution (T1021.*)"
"Hunt for RDP/WMI/PsExec execution patterns"

# Process Injection Behaviors
"Find process injection into system processes (T1055)"
"Detect CreateRemoteThread patterns across all tools"

# Living-off-the-Land Behaviors
"Hunt for PowerShell download cradles (T1059.001)"
"Detect LOLBin abuse patterns (certutil, bitsadmin, etc.)"

# Command and Control Behaviors
"Find C2 beaconing patterns regardless of infrastructure"
"Detect DNS tunneling behaviors (T1071.004)"

Notice: These focus on adversary behaviors that persist across tool/infrastructure changes, not specific IOCs that change hourly.

Architecture

Core Components

  1. Hunt Frameworks

    • PEAK/SQRRL (src/frameworks/hunt_framework.py)
      • PEAK methodology implementation
      • SQRRL framework components
      • Intelligence-driven hunting approach
    • TaHiTI (src/frameworks/tahiti.py) ⭐ NEW
      • 3-phase methodology (Initialize, Hunt, Finalize)
      • 6-step process with continuous threat intelligence integration
      • Hunt backlog management and prioritization
      • Automated handover to security processes

  2. Cognitive Module (src/cognitive/hunter_brain.py) ⭐ NEW

    • Expert threat hunter cognitive patterns
    • Bias detection (confirmation, anchoring, availability)
    • Competing hypotheses generation (ACH methodology)
    • Multi-factor confidence scoring
    • Hunt stopping criteria and decision engine
    • Investigation question generation

  3. Graph Correlation Engine (src/correlation/graph_engine.py) ⭐ NEW

    • Attack graph construction and analysis
    • Living-off-the-Land (LOLBin) detection
    • Attack path identification (initial compromise → crown jewels)
    • Pivot point detection via betweenness centrality
    • Provenance tracking and lineage analysis
    • Process relationship analysis

  4. Deception Manager (src/deception/honeytokens.py) ⭐ NEW

    • Honeytoken generation and deployment
    • Decoy system management
    • C

THORCollective

View profile

View on GitHub
GitHub Stars10
CategoryDevelopment
Updated1d ago
Forks5
THORCollective/threat-hunting-mcp-server

Languages

Python

Security Score

80/100

Audited on Mar 18, 2026

No findings