EXPLORE DETECTIONS
Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Wab Execution From Non Default Location
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child Processes
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Wannacry Killswitch Domain
Detects wannacry killswitch domain dns queries
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
WDAC Policy File Creation In CodeIntegrity Folder
Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
Wdigest CredGuard Registry Modification
Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
Wdigest Enable UseLogonCredential
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Weak Encryption Enabled and Kerberoast
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
WebDav Put Request
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with potentially suspicious extensions
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection. However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity. When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load. Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts. Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Whoami.EXE Execution Anomaly
Detects the execution of whoami.exe with suspicious parent processes.