Skip to main content
 

These tables show you which technology works with each hunting technique.

Table 1. Endpoint

Technology /Technique

VMware Carbon Black EDR (direct)

VMware Carbon Black Cloud (direct)

CrowdStrike Falcon

(Falcon Data Replicator required)

Elastic Endpoint Security (direct)

SentinelOne

Microsoft Defender for Endpoint

SIEM

Splunk

Sumo Logic

Anomalous Process Creation - Database Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Anomalous Process Creation - Productivity Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Anomalous Process Creation - Web Server Applications

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

Execution from User Directories

WideYesIcon.png
WideYesIcon.png

Historical Scripting Interpreter Activity

WideYesIcon.png
WideYesIcon.png

Legitimate Services for Command-and-Control

WideYesIcon.png

Scripted Web Downloader

WideYesIcon.png

Successive Reconnaissance Commands

WideYesIcon.png
WideYesIcon.png

Table 2. Cloud

Technology /Technique

Amazon Web Services (AWS) (direct)

Azure (direct)

Google Workspace (direct)

Microsoft Office 365 (direct)

Okta (direct)

OneLogin (direct)

App Consent Grants

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

EC2 Modifications

WideYesIcon.png

EC2 Unused or Unsupported Cloud Regions

WideYesIcon.png

Geo infeasibility

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

IAM New User

WideYesIcon.png

Login from Datacenter

WideYesIcon.png

RDS Modifications

WideYesIcon.png

Suspicious Inbox Rules

WideYesIcon.png

Table 3. Network

Technology /Technique

Cisco ASA VPN

Palo Alto Networks

SIEM

IBM QRadar

Splunk

Sumo Logic

Azure Log Analytics (ALA)

Exabeam Fusion SIEM

Splunk

Sumo Logic

Connections to Sinkholed Domains

WideYesIcon.png

Geo infeasibility

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png

HTTP Beaconing

WideYesIcon.png
WideYesIcon.png
WideYesIcon.png
WideYesIcon.png