|By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels.
|By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped.
|The defender can use behavioral analytics detect an XSL process doing something abnormal.
|A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc.
|A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.
|A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.
|A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously.
|A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary.
|A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.
|A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.
|A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity.
|A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
|A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
|A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity.
|Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn't do so.
|Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before.
|Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent.
|A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity.
|Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn't do so.