This article shows you which technology works with each hunting technique.

On-prem infrastructure

Technology /Technique

VMware Carbon Black EDR (direct)

VMware Carbon Black Cloud (direct)

CrowdStrike Falcon

(Falcon Data Replicator required)

SentinelOne

Microsoft Defender for Endpoint

Palo Alto Networks

SIEM

Splunk

Sumo Logic

Splunk

Sumo Logic

Anomalous Process Creation - Database Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Anomalous Process Creation - Productivity Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Anomalous Process Creation - Web Server Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Anomalous Process Creation - VMware

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Execution from User Directories

WideYesIcon.png
WideYesIcon.png

Historical Scripting Interpreter Activity

WideYesIcon.png
WideYesIcon.png

Scripted Web Downloader

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

HTTP Beaconing

WideYesIcon.png
WideYesIcon.png

Connections to Sinkholed Domains

WideYesIcon.png
WideYesIcon.png

Suspicious Recon Commands

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Script interpreter

WideYesIcon.png
WideYesIcon.png

Cloud infrastructure

Technology /Technique

GCP

Amazon Web Services (AWS) (direct)

Azure (direct)

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

General Privilege Escalation

WideYesIcon.png

Admin Focused Role Mgmt, Reset Password & Add Member

WideYesIcon.png

Daily ROPC protocol access

WideYesIcon.png

Lack of MFA Enforcement for Privileged Users

WideYesIcon.png

Priv Escalation via Role Assignment

WideYesIcon.png

Multiple simultaneous logins

WideYesIcon.png

EC2 Modifications

WideYesIcon.png

EC2 Unused or Unsupported Cloud Regions

WideYesIcon.png

IAM New User

WideYesIcon.png

RDS Modifications

WideYesIcon.png

Saas apps

Technology /Technique

Google Workspace (direct)

Microsoft 365 (direct)

Okta (direct)

OneLogin (direct)

Duo

Geo infeasibility

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Login from Datacenter

WideYesIcon.png
WideYesIcon.png

Suspicious Inbox Rules

WideYesIcon.png

App Consent Grants

WideYesIcon.png
WideYesIcon.png

Suspicious Duo Push

WideYesIcon.png