Documentation Index

Fetch the complete documentation index at: https://docs.hunters.ai/llms.txt

Use this file to discover all available pages before exploring further.

📢 Read the latest Release Notes to learn what's new on Hunters! 💡

Release Notes - June 2026

New
  • Updated on Jun 16, 2026
  • Published on May 16, 2024
Prev Next

Product

Pathfinder AI - Data Onboarding - Public Preview

Pathfinder Data onboarding (aka Democratize Data) is now available for public preview with new capabilities that let you bring custom data into the Hunters platform.

You can now onboard data from your own S3 buckets directly into Hunters. Once ingested, your data is automatically mapped to the OCSF (Open Cybersecurity Schema Framework) data model, making it immediately available for detection and investigation workflows without manual schema configuration.

This means security teams can analyze data sources that aren't covered by built-in integrations, while maintaining compatibility with the Hunters detection and investigation engines.

Pathfinder AI - Organizational Context - public preview

We are pleased to announce a public preview of the new Pathfinder organizational context capability rolling out.

This feature will enhance investigations by allowing you to add relevant organizational context for Pathfinder to utilize.

During this preview phase, you will be able to manually create this context. Future plans include capabilities for Pathfinder to automatically generate organizational context.

To participate in future previews or for any related questions, please contact us.

Security Content

AXON Threat Hunting Report

Suspicious File Created in Windows Startup Folder

Team AXON has identified cases where adversaries abuse the Windows Startup Folder to maintain persistence. This technique takes advantage of standard operating system behavior, where programs placed in Startup directories are automatically launched when a user logs in. By adding malicious files to these locations, attackers can ensure their code runs consistently, allowing them to maintain access and continue operating within the environment over time.

The threat hunting targeted multiple file types, including executables, Windows-native scripts, and commonly used scripting files, which can be executed only if the relevant program is installed and configured.

The threat hunting campaign focused on the period between March 7, 2026, and June 7, 2026. If any results were found in your environment, they are included in the “Hunting Results” section of this report.

More details and findings (if exists) can be found on the Hunters platform under “Axon Reports”.

New detectors

Suspicious File Created in Windows Startup Folder

Detects suspicious file creation activity within Windows Startup folder locations, which may indicate persistence attempts by malware or attackers.

The Windows Startup folder is a common persistence mechanism that allows applications, scripts, and shortcut files to execute automatically when a user logs into the operating system. Because of this behavior, attackers frequently abuse Startup folder locations to maintain persistence on compromised hosts.

This detector analyzes file creation events within Windows Startup folder paths and identifies suspicious or anomalous activity associated with newly created files.

The detection focuses on files linked to suspicious process behavior, risky reputation indicators, or unusual persistence patterns that may represent malware installation or post-compromise attacker activity.

Suspicious User-Agent Observed in Sign-In Activity

Detects unified login events whose User-Agent matches known attack-tool signatures (e.g. TruffleHog, Kali). 

Analysts should validate whether the tool is authorized, then review IP, identity, and session context, and respond if malicious.

Microsoft 365 Defender Copilot Prompt Injection 3rd Party Alert

This new 3rd party detector alerts for detecting prompt injection attacks against Copilot.

Microsoft 365 Defender 3rd party alert detects attempts to manipulate Copilot through malicious instructions embedded in external content. This includes Direct Prompt Injection (UPIA - User Prompt Injection Attack), where the attacker interacts directly with the AI, and Indirect Prompt Injection (XPIA - Cross/External Prompt Injection Attack), where malicious prompts are hidden in external sources such as emails, documents, web pages, or shared content that Copilot processes.

Azure Service Principal Sign-In via Unusual User Agent Category

Detects when an Azure SPN successfully logs in using a new user agent category it has never used before.

An Azure Service Principal typically uses the same set of user agents to do its job every day, so it is somewhat predictable. A sudden change in the type of user agent an SPN uses when signing in is a possible indicator of stolen credentials.

This detector tracks the user agent categories each SPN normally uses over a learning period and generates a lead whenever an SPN suddenly switches to a user agent category that was not seen in the baseline it learned for that SPN.

Suspicious User-Agent Observed in Azure Non-Interactive/SPN Sign In Activity

This detector has the same logic as the generic “Suspicious User-Agent Observed in Sign-In Activity” detector, but limited only to Azure SPN logons, which are not covered by the generic detector.

Detects Azure SPN/Non-Interactive successful sign-in events where User-Agent matches known attack-tool signatures (e.g., TruffleHog, Kali).

This thesis enriches an existing detector designed to identify suspicious user agents in user login activities. The original detector processes a unified sign-in event data source. However, two major gaps were identified and addressed in this work: the use of Service Principals (SPNs) instead of standard user accounts, and the inclusion of non-interactive sign-ins.

Non-Interactive and SPN sign-ins are usually automatic, consistent, and predictable. When a known attack tool initiates the login, it can indicate unauthorized access via stolen credentials.

Deprecated detectors

Suspicious app impersonation in O365 Exchange

As part of an ongoing quality monitoring, this detector was found to be irrelevant anymore since Microsoft has deprecated the application impersonation capability in Microsoft 365.

Enrichments and Scoring

New enrichment - Windows User Lock Status

This enrichment queries Windows Security Event Logs for account lock and unlock events associated with a specific Windows user SID. It analyzes event id 4740 for account lockouts and event id 4767 for account unlocks.

The enrichment provides context such as the user’s current lock status, last lock and unlock times, the number of lock and unlock events, initiating users, and related lockout source computers.

These insights can help investigate repeated lockouts, stale credentials, suspicious access attempts, or unusual account recovery behavior.

New scoring layer - Windows User Lock Status Model

The scoring model increases the lead’s confidence based on the user’s lock status, and whether the user was recently locked and then unlocked.

This helps prioritize meaningful lock-status cases while reducing noise from repeated lock events.

** The aforementioned new enrichment and scoring replace a detector that has been deprecated - “Windows account locked” (mentioned on the previous release notes).

Integrations

New Integrations Releases:

  • Upguard Alerts SaaS integration

  • Upguard Cyberrisk Breaches logs 

  • Barracuda Sentinel logs

  • Cloudflare Network Analytics

  • E-Series

  • IBM DB2

  • Cisco FMC

  • Cohesity

  • CyberArk Cloud Audit Logs