Observables such as File Hashes, IP Addresses or known bad URL’s are useful for blocking a specific attack and for connecting the dots between two separate attacks when the adversaries choose to re-use tools and infrastructure. However, attackers are getting smarter, using attack tools that create unique objects per infected host. Thus, the effective life of an observable attack, such as a file hash, is often too brief to detect, which is why many of the static IOC’s that are commonly collected by security sensors today are historic and brittle. The threat hunting tools should focus on attacker techniques and anomalies i.e. threat actor tactics, techniques, and procedures (TTP's).
TXHunter focuses on collecting and analyzing the system behaviors and not the static IOC’s.