This article shows you which hunting techniques can be used with each type of technology.

On-Prem (Endpoint and Network)

Technique

VMware Carbon Black EDR (direct)

VMware Carbon Black Cloud (direct)

CrowdStrike Falcon

(Falcon Data Replicator required)

SentinelOne

Microsoft Defender for Endpoint

Palo Alto Networks

SIEM

   

Splunk

Sumo Logic

   

Splunk

Sumo Logic

Anomalous Process Creation - Database Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
 
WideYesIcon.png
WideYesIcon.png
   

Anomalous Process Creation - Productivity Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
 
WideYesIcon.png
WideYesIcon.png
   

Anomalous Process Creation - Web Server Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
 
WideYesIcon.png
WideYesIcon.png
   

Anomalous Process Creation - VMware

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
 
WideYesIcon.png
WideYesIcon.png
   

Execution from User Directories

   
WideYesIcon.png
WideYesIcon.png
       

Historical Scripting Interpreter Activity

WideYesIcon.png
WideYesIcon.png
           

Scripted Web Downloader

WideYesIcon.png
     
WideYesIcon.png
WideYesIcon.png
   

HTTP Beaconing

           
WideYesIcon.png
WideYesIcon.png

Connections to Sinkholed Domains

           
WideYesIcon.png
WideYesIcon.png

Suspicious Recon Commands

WideYesIcon.png
WideYesIcon.png
   
WideYesIcon.png
     

Script interpreter

WideYesIcon.png
     
WideYesIcon.png
     

Cloud

Technique

GCP

Amazon Web Services (AWS) (direct)

Azure (direct)

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

General Privilege Escalation

WideYesIcon.png
           

Admin Focused Role Mgmt, Reset Password & Add Member

   
WideYesIcon.png
       

Daily ROPC protocol access

   
WideYesIcon.png
       

Lack of MFA Enforcement for Privileged Users

   
WideYesIcon.png
       

Priv Escalation via Role Assignment

   
WideYesIcon.png
       

Multiple simultaneous logins

   
WideYesIcon.png
       

EC2 Modifications

 
WideYesIcon.png
         

EC2 Unused or Unsupported Cloud Regions

 
WideYesIcon.png
         

IAM New User

 
WideYesIcon.png
         

RDS Modifications

 
WideYesIcon.png
         

SaaS and Identity

Technique

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

Duo

Geo infeasibility

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
 

Login from Datacenter

WideYesIcon.png
WideYesIcon.png
     

Suspicious Inbox Rules

 
WideYesIcon.png
     

App Consent Grants

WideYesIcon.png
WideYesIcon.png
     

Suspicious Duo Push

       
WideYesIcon.png