A practical Windows-focused workflow: 1. Process analysis: Identify unsigned binaries, LOLBins, anomalous parent-child relationships, and processes executing from temp or user-writable directories. 2. Persistence review: Inspect scheduled tasks, services, Run/RunOnce keys, WMI subscriptions, and startup folders for new or modified entries. 3. Network telemetry: Examine outbound connections, DNS anomalies, beaconing patterns, and processes making unexpected network calls. 4. System modification review: Look for new accounts, privilege changes, security configuration drift, and recent software installations. 5. Script and PowerShell telemetry: Identify encoded commands, AMSI bypass attempts, suspicious module loads, and script execution from non-standard locations. 6. Correlation: Combine signals to identify multi-stage behaviours indicative of compromise.
Sapience simplifies this workflow by aggregating process, network, persistence, and behavioural indicators into a single interface. It highlights anomalies and maps certain behaviours to MITRE ATT&CK techniques, making it easier for non-enterprise defenders to spot early indicators of compromise without parsing logs or using multiple admin tools.