These tables show you which technology works with each hunting technique.
Table 1. Endpoint
|
Technology /Technique |
VMware Carbon Black EDR (direct) |
VMware Carbon Black Cloud Enterprise EDR (direct) |
CrowdStrike Falcon (Falcon Data Replicator required) |
Elastic Endpoint Security (direct) |
SentinelOne |
Microsoft Defender for Endpoint |
|
|---|---|---|---|---|---|---|---|
|
SIEM |
Splunk |
Sumo Logic |
|||||
|
Anomalous Process Creation - Database Applications |
 |
|
|
||||
|
Anomalous Process Creation - Productivity Applications |
|
|
|||||
|
Anomalous Process Creation - Web Server Applications |
|
|
|
||||
|
Execution from User Directories |
|
|
|||||
|
Historical Scripting Interpreter Activity |
|
|
|||||
|
Legitimate Services for Command-and-Control |
|
||||||
|
Scripted Web Downloader |
|
||||||
|
Successive Reconnaissance Commands |
|
|
|||||
Table 2. Cloud
|
Technology /Technique |
Amazon Web Services (AWS) (direct) |
Azure (direct) |
Google Workspace (direct) |
Microsoft Office 365 (direct) |
Okta (direct) |
OneLogin (direct) |
|---|---|---|---|---|---|---|
|
App Consent Grants |
|
|
|
|
||
|
EC2 Modifications |
|
|||||
|
EC2 Unused or Unsupported Cloud Regions |
|
|||||
|
Geo infeasibility |
|
|
|
|
||
|
IAM New User |
|
|||||
|
Login from Datacenter |
|
|||||
|
RDS Modifications |
|
|||||
|
Suspicious Inbox Rules |
|
Table 3. Network
|
Technology /Technique |
Cisco ASA VPN |
Palo Alto Networks |
|||||
|---|---|---|---|---|---|---|---|
|
SIEM |
IBM QRadar |
Splunk |
Sumo Logic |
Azure Log Analytics (ALA) |
Exabeam Fusion SIEM |
Splunk |
Sumo Logic |
|
Connections to Sinkholed Domains |
|
||||||
|
Geo infeasibility |
|
|
|
||||
|
HTTP Beaconing |
|
|
|
|
|||
Comments
0 comments
Please sign in to leave a comment.