High-Impact TTPs to Hunt For: Reconnaissance, Persistence, and Data Exfiltration

If You Can Hunt Three Things Well, Hunt These

Threat hunting becomes valuable when it focuses on behaviors that materially change business risk. While attackers use dozens of tactics and techniques, three categories consistently determine whether an intrusion becomes a contained event—or a reputational and financial crisis:

1. Reconnaissance – the attacker is learning your environment and identifying targets.

2. Persistence – the attacker is ensuring they can return, even if discovered.

3. Data Exfiltration – the attacker is removing value from your organization: customer data, intellectual property, credentials, or funds.

At Dawgen Global, we consider these three “high-impact” because they are the phases where:

• the attacker’s intent becomes clearer,

• the organization still has a window to interrupt escalation, and

• the consequences of failure rise sharply—regulatory scrutiny, customer trust erosion, and long-term operational disruption.

This article outlines what these TTPs(Tactics, Techniques, and Procedures.) look like in real environments, how to hunt for them without drowning in noise, and how to translate findings into measurable resilience improvements.

1. Reconnaissance: The Quiet Phase That Precedes Big Damage

Reconnaissance is not always dramatic. It often looks like legitimate activity—because sophisticated attackers don’t begin by detonating malware. They begin by mapping.

They ask questions such as:

• Which accounts are privileged?

• Where are the crown jewels (finance systems, HR data, customer databases)?

• Which servers are exposed?

• Which cloud roles can be abused?

• What security controls exist—and how do we avoid them?

Why executives should care about reconnaissance

Reconnaissance is the attacker “getting ready.” If you detect reconnaissance early, you often prevent:

• lateral movement into critical systems,

• privilege escalation,

• ransomware deployment, and

• data theft.

In other words, reconnaissance detection is prevention by discovery.

Common reconnaissance behaviors to hunt

A. Account and privilege discovery
Indicators include:

• unusual enumeration of users and groups,

• repeated queries of directory services,

• access patterns focused on admin group membership,

• command usage consistent with discovery (particularly from non-admin endpoints).

B. Network and host discovery
Look for:

• internal scanning behavior,

• repeated connection attempts to multiple hosts/ports,

• rapid “touching” of systems that do not typically interact,

• discovery of file shares, domain controllers, or virtualization platforms.

C. Cloud reconnaissance
In cloud environments, reconnaissance often appears as:

• listing resources,

• querying role assignments,

• inspecting storage buckets or repositories,

• enumerating access keys or service principals.

Practical hunting questions for reconnaissance

• Which endpoints generated the highest volume of “discovery-like” commands this week?

• Which users accessed directory objects they never touch during normal work?

• Which hosts initiated connections to many internal targets in a short time window?

• Are there cloud identities performing unusually broad “list” operations across resources?

What to do when you find it

Reconnaissance findings should trigger a structured response:

• validate the user and device legitimacy,

• examine the authentication context (device posture, geography, time-of-day),

• check for adjacent indicators (privilege changes, new scheduled tasks, unusual outbound connections), and

• tighten controls if the activity is legitimate but risky (e.g., restrict discovery tooling, reduce privileged exposure).

The point is not to panic on every scan. The point is to identify when “learning the environment” is inconsistent with business purpose.

2. Persistence: The Attacker’s Insurance Policy

Persistence is how adversaries return. It is the mechanism that makes a one-time intrusion become a recurring risk.

Organizations often believe they are “clean” after password resets and system restoration—only to experience a second incident because the attacker left behind a reliable way to regain access.

Why persistence is high-impact

Persistence:

• undermines recovery confidence,

• extends dwell time,

• increases exposure windows for theft or fraud, and

• can make executive reporting unreliable (“we removed the threat” becomes “we were wrong”).

From a governance perspective, persistence is also the most embarrassing category of failure because it signals that remediation was incomplete.

Common persistence techniques to hunt

A. New or modified accounts

• creation of new local admin accounts,

• unauthorized directory account creation,

• suspicious service account changes,

• abnormal password resets or MFA re-enrollment patterns.

B. Scheduled tasks and job automation
Attackers frequently use scheduled tasks or cron jobs to re-execute payloads, re-establish connections, or maintain access.

Hunt for:

• newly created scheduled tasks on critical servers,

• task names that mimic system services,

• tasks executing from unusual directories,

• tasks created by accounts that normally do not administer that host.

C. Services, startup items, autoruns
Persistence may appear as:

• new services installed,

• registry autorun keys modified,

• startup folder additions,

• remote management tools configured silently.

D. Remote access tooling
Even “legitimate” remote admin tools can become persistence mechanisms if installed or configured outside policy:

• remote desktop enablement where it was previously disabled,

• new VPN profiles,

• new remote management agents,

• SSH keys placed on servers.

E. Cloud persistence
Cloud persistence is increasingly common and frequently overlooked. It can involve:

• creation of new application registrations,

• new OAuth consent grants,

• new access keys, tokens, or service principals,

• role assignments that quietly grant long-term access.

Practical hunting questions for persistence

• What new scheduled tasks, services, or startup entries appeared in the last 7–30 days on critical assets?

• Which accounts were added to privileged groups recently—and what was the approving change record?

• Which cloud identities created new app registrations, access keys, or role assignments?

• Are there remote access configurations enabled on systems that typically do not require them?

What to do when you find it

Persistence findings should be handled with discipline:

• preserve evidence before removal (especially if legal, insurance, or regulatory exposure is possible),

• isolate the affected host/account where warranted,

• remove the persistence mechanism and close the enabling condition, and

• perform a broader sweep—because persistence rarely exists in only one place.

A mature organization treats persistence as a signal to widen the lens, not narrow it.

3. Data Exfiltration: The Moment a Cyber Event Becomes a Business Crisis

Exfiltration is not always obvious. Attackers rarely “drag and drop” data out of your environment in a single burst. They often:

• identify sensitive stores,

• stage data internally,

• compress and encrypt it, and

• send it out slowly or through channels that blend in.

Why exfiltration is high-impact

Exfiltration is where:

• regulatory obligations expand,

• reputational damage accelerates, and

• litigation and contractual exposures become more likely.

For leadership, exfiltration risk must be answered clearly:

• What was accessed?

• What was removed?

• Can we prove it—or is it uncertain?

The quality of your answer depends on your logging maturity and your forensic discipline.

Common exfiltration behaviors to hunt

A. Data staging
Look for:

• creation of large archives (zip/rar/7z),

• unexpected compression activity on file servers,

• staging in unusual directories (temp folders, hidden paths),

• large volumes of reads from sensitive databases without corresponding business processes.

B. Unusual outbound transfers
Indicators include:

• large outbound spikes from servers that usually do not send large volumes,

• outbound traffic to new or rare destinations,

• repeated outbound connections to endpoints not used for business,

• unusual protocols or ports for data movement.

C. “Living off the land” exfiltration
Attackers often use built-in tools or normal channels:

• cloud storage sync services,

• email forwarding rules,

• legitimate admin tooling,

• web uploads via common endpoints.

D. DNS tunneling and covert channels
More advanced exfiltration may involve:

• excessive DNS queries with unusual lengths,

• frequent outbound connections with minimal response patterns,

• encrypted outbound traffic to rare domains.

E. Cloud exfiltration
In cloud environments, exfiltration may look like:

• mass download of object storage,

• snapshot exports,

• unusual API calls to list and retrieve large datasets,

• token misuse enabling broad access.

Practical hunting questions for exfiltration

• Which systems generated the largest outbound data volumes this week—are they expected?

• Which destinations are newly observed, rare, or inconsistent with business purpose?

• Are there signs of mass file reads followed by archive creation?

• Are privileged identities performing unusual export or download operations in cloud services?

• Are there unusual email forwarding rules or mailbox access patterns?

What to do when you find it

Exfiltration indicators require immediate coordination:

• contain the pathway (block destinations, isolate systems, disable compromised identities),

• preserve evidence (logs, flows, endpoint artifacts),

• assess scope (what data stores were accessed, what records are implicated), and

• prepare stakeholder-ready reporting (executive, legal, regulatory, customer-facing as needed).

Most importantly: do not claim certainty where evidence is incomplete. Mature handling distinguishes confirmed facts from plausible risk.

4. How to Hunt These TTPs Without Overwhelming Your Team

Threat hunting fails when it becomes either too broad (“look at everything”) or too narrow (“only search for a known IOC”). Hunting Recon, Persistence, and Exfiltration works best when you:

A. Start with critical assets and privileged identities

Focus first on:

• domain controllers and identity systems,

• finance and payment platforms,

• customer databases,

• email systems,

• cloud admin roles and keys.

These are where reconnaissance, persistence, and exfiltration are most consequential.

B. Use baselining and “rare behavior” logic

A powerful principle:

• Most legitimate business activity repeats.

• Most attacker activity is unusual in context.

Use frequency-based approaches (including stack counting) to quickly surface rare behaviors, then validate them.

C. Treat hunts as capability-building, not one-off projects

Every hunt should improve the program by:

• generating new detection rules,

• identifying logging gaps,

• informing control improvements, and

• producing governance-friendly reporting.

If the hunt doesn’t change anything, it wasn’t a hunt—it was a review.

5. Turning Findings Into Governance-Level Improvements

Threat hunting is not complete when you identify suspicious activity. It is complete when the organization becomes harder to compromise.

High-impact improvements often include:

• tightening privileged access and reducing standing admin privileges,

• enforcing MFA/conditional access and strengthening identity governance,

• improving log retention and visibility on key systems,

• restricting discovery tooling to approved admin contexts,

• segmentation improvements to limit lateral movement,

• outbound egress controls and monitoring to reduce exfiltration paths,

• cloud policy hardening around keys, tokens, and app registrations.

This is where threat hunting becomes business value: it turns invisible risk into measurable action.

6. The Dawgen Global View: Why These Three TTPs Are a Strategic Starting Point

Organizations can hunt dozens of behaviors, but most do not have infinite time or people. Reconnaissance, persistence, and exfiltration are the optimal starting point because:

• Reconnaissance reveals intrusions early, before major damage.

• Persistence validates whether recovery is real or cosmetic.

• Exfiltration determines whether the incident triggers significant regulatory and reputational exposure.

Hunting these three consistently improves:

• assurance (“we have validated key risk areas”),

• resilience (“we reduced the attacker’s freedom of movement”), and

• defensibility (“we can explain what we found and what we did about it”).

Find the Behaviors That Lead to Crisis—Before They Become One

Threat hunting succeeds when it focuses on the behaviors that change outcomes. Reconnaissance, persistence, and data exfiltration are not abstract cybersecurity concepts. They are the building blocks of breaches that end up in board reports, regulatory filings, and headlines.

Organizations that hunt these TTPs (Tactics, Techniques, and Procedures) consistently are less likely to be surprised, less likely to suffer repeat incidents, and more likely to respond with confidence and credibility.

In modern cyber defense, the goal is not simply to detect. The goal is to validate, interrupt, and improve.

Next Step: Consultation and RFP Support

If your organization wants to reduce hidden cyber risk, establish a practical threat hunting capability, or prioritize high-impact hunts aligned to your most critical assets, Dawgen Global can help.

We support clients with:

• threat hunting program design and execution

• identity, endpoint, network, and cloud-focused hunting

• detection engineering to operationalize hunt findings

• executive reporting and governance-aligned recommendations

• consultation and RFP proposal support for cyber resilience programs

Email: [email protected]
Website: https://dawgen.global
Telephone Contact Centre: Caribbean: 876-9293670 | 876-9293870 | USA: 855-354-2447
WhatsApp Global: +1 555 795 9071

Dawgen Global — helping organizations make smarter, more effective decisions against modern cyber threats.

 

About Dawgen Global