1. Expel Help Center
  2. Expel Hunting
  3. Get Started with Hunting

Hunting Techniques

This article shows you which hunting techniques can be used with each type of technology.

On-Prem (Endpoint and Network)

Technique

VMware Carbon Black EDR (direct)

VMware Carbon Black Cloud (direct)

CrowdStrike Falcon

(Falcon Data Replicator required)

SentinelOne

Microsoft Defender for Endpoint

Palo Alto Networks

SIEM

    

Splunk

Sumo Logic Cloud Infrastructure Security

    

Splunk

Sumo Logic Cloud Infrastructure Security

Anomalous Process Creation - Database Applications
 
   

Anomalous Process Creation - Productivity Applications
 
   

Anomalous Process Creation - Web Server Applications
 
   

Anomalous Process Creation - VMware
 
   

Execution from User Directories

    
       

Historical Scripting Interpreter Activity
           

Scripted Web Downloader
     
   

HTTP Beaconing

            

Connections to Sinkholed Domains

            

Suspicious Recon Commands
   
     

Script interpreter
     
     

Cloud

Technique

GCP

Amazon Web Services (AWS) (direct)

Azure (direct)

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

General Privilege Escalation
           

Admin Focused Role Mgmt, Reset Password & Add Member

    
       

Daily ROPC protocol access

    
       

Lack of MFA Enforcement for Privileged Users

    
       

Priv Escalation via Role Assignment

    
       

Multiple simultaneous logins

    
       

EC2 Modifications

  
         

EC2 Unused or Unsupported Cloud Regions

  
         

IAM New User

  
         

RDS Modifications

  
         

SaaS and Identity

Technique

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

Duo

Geo infeasibility
 

Login from Datacenter
     

Suspicious Inbox Rules

  
     

App Consent Grants
     

Suspicious Duo Push

        

Related articles