In threat hunting, what is a 'tactic-based hunt' and provide an example.

In threat hunting, a tactic-based hunt centers the investigation on MITRE ATT&CK tactics, forming hypotheses around what an attacker is trying to accomplish rather than chasing individual indicators. You frame your hunt by a specific tactic (for example, discovery) and then look for related behaviors across endpoints, logs, and network data that would support that tactic being used, enabling you to connect disparate events into a possible attack chain. An example is a discovery tactic hunt aimed at finding anomalous account discovery activity: you’d search for behaviors that indicate enumeration of user accounts or groups, such as unusual AD queries, PowerShell commands that enumerate users, or WMI/LDAP discovery activity across machines. This approach helps you detect coordinated actions that span multiple steps, not just single-signature hits. The other options describe different hunting approaches (signature-based malware detection, focusing on login anomalies without a tactic framework, or generic ML anomaly scoring) and don’t illustrate the tactic-driven, ATT&CK-aligned method.