This article shows you which hunting techniques can be used with each type of technology.

On-Prem (Endpoint and Network)

Technique

VMware Carbon Black EDR (direct)

VMware Carbon Black Cloud (direct)

CrowdStrike Falcon

(Falcon Data Replicator required)

SentinelOne

Microsoft Defender for Endpoint

Palo Alto Networks

SIEM

   

Splunk

Sumo Logic Cloud Infrastructure Security

   

Splunk

Sumo Logic Cloud Infrastructure Security

Anomalous Process Creation - Database Applications

 
   

Anomalous Process Creation - Productivity Applications

 
   

Anomalous Process Creation - Web Server Applications

 
   

Anomalous Process Creation - VMware

 
   

Execution from User Directories

   
       

Historical Scripting Interpreter Activity

           

Scripted Web Downloader

     
   

HTTP Beaconing

           

Connections to Sinkholed Domains

           

Suspicious Recon Commands

   
     

Script interpreter

     
     

Cloud

Technique

GCP

Amazon Web Services (AWS) (direct)

Azure (direct)

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

General Privilege Escalation

           

Admin Focused Role Mgmt, Reset Password & Add Member

   
       

Daily ROPC protocol access

   
       

Lack of MFA Enforcement for Privileged Users

   
       

Priv Escalation via Role Assignment

   
       

Multiple simultaneous logins

   
       

EC2 Modifications

 
         

EC2 Unused or Unsupported Cloud Regions

 
         

IAM New User

 
         

RDS Modifications

 
         

SaaS and Identity

Technique

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

Duo

Geo infeasibility

 

Login from Datacenter

     

Suspicious Inbox Rules

 
     

App Consent Grants

     

Suspicious Duo Push