This article shows you which hunting techniques can be used with each type of technology.
On-Prem (Endpoint and Network)
Technique |
VMware Carbon Black EDR (direct) |
VMware Carbon Black Cloud (direct) |
CrowdStrike Falcon (Falcon Data Replicator required) |
SentinelOne |
Microsoft Defender for Endpoint |
Palo Alto Networks |
||
---|---|---|---|---|---|---|---|---|
SIEM |
Splunk |
Sumo Logic Cloud Infrastructure Security |
Splunk |
Sumo Logic Cloud Infrastructure Security |
||||
Anomalous Process Creation - Database Applications |
✅
|
✅
|
✅
|
✅
|
✅
|
|||
Anomalous Process Creation - Productivity Applications |
✅
|
✅
|
✅
|
✅
|
✅
|
|||
Anomalous Process Creation - Web Server Applications |
✅
|
✅
|
✅
|
✅
|
✅
|
|||
Anomalous Process Creation - VMware |
✅
|
✅
|
✅
|
✅
|
✅
|
|||
Execution from User Directories |
✅
|
✅
|
||||||
Historical Scripting Interpreter Activity |
✅
|
✅
|
||||||
Scripted Web Downloader |
✅
|
✅
|
✅
|
|||||
HTTP Beaconing |
✅
|
✅
|
||||||
Connections to Sinkholed Domains |
✅
|
✅
|
||||||
Suspicious Recon Commands |
✅
|
✅
|
✅
|
|||||
Script interpreter |
✅
|
✅
|
Cloud
Technique |
GCP |
Amazon Web Services (AWS) (direct) |
Azure (direct) |
Google Workspace (direct) |
Microsoft 365 (direct) |
Okta (direct) |
OneLogin (direct) |
---|---|---|---|---|---|---|---|
General Privilege Escalation |
✅
|
||||||
Admin Focused Role Mgmt, Reset Password & Add Member |
✅
|
||||||
Daily ROPC protocol access |
✅
|
||||||
Lack of MFA Enforcement for Privileged Users |
✅
|
||||||
Priv Escalation via Role Assignment |
✅
|
||||||
Multiple simultaneous logins |
✅
|
||||||
EC2 Modifications |
✅
|
||||||
EC2 Unused or Unsupported Cloud Regions |
✅
|
||||||
IAM New User |
✅
|
||||||
RDS Modifications |
✅
|
SaaS and Identity
Technique |
Google Workspace (direct) |
Microsoft 365 (direct) |
Okta (direct) |
OneLogin (direct) |
Duo |
---|---|---|---|---|---|
Geo infeasibility |
✅
|
✅
|
✅
|
✅
|
|
Login from Datacenter |
✅
|
✅
|
|||
Suspicious Inbox Rules |
✅
|
||||
App Consent Grants |
✅
|
✅
|
|||
Suspicious Duo Push |
✅
|