I am currently analyzing our security landscape with the help of the MITRE ATT&CK Framework. Most techniques have ways to "Mitigate" and to "Detect" it, and one of the most prevalent security tool we have in place is Defender 365. Now, I know there are custom ways to write queries and do advanced threat hunting, but what are the default ways Defender monitors for threats.
For an example, one of the techniques "Indirect Command Execution" lists a way to detect it:
Process Creation
Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. pcalua.exe, winrs.exe, cscript/wscript.exe, hh.exe, or bash.exe)
Now, how would one find out if this is one of the things Defender already monitors for?
I also know that Defender uses behavior analysis and correlates events based on previous actions, but the visibility for this is lacking. Any insight in this would be appreciated!
