EXPLORE DETECTIONS
Web Server Spawned via Python
This rule identifies when a web server is spawned via Python. Attackers may use Python to spawn a web server to exfiltrate/infiltrate data or to move laterally within a network.
Web Server Suspicious User Agent Requests
This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.
Web Shell Detection: Script Process Child of Common Web Processes
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
WebProxy Settings Modification
Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.
WebServer Access Logs Deleted
Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.
Werfault ReflectDebugger Persistence
Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the "-pr" parameter.
Whoami Process Activity
Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
Windows Defender Disabled via Registry Modification
Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.
Windows Defender Exclusions Added via PowerShell
Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.
Windows Event Logs Cleared
Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.
Windows Firewall Disabled via PowerShell
Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.
Windows Registry File Creation in SMB Share
Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.
Windows Sandbox with Sensitive Configuration
Identifies Windows sanfbox processes indicating the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command. Malware may abuse the sandbox feature to evade detection.
Windows Script Executing PowerShell
Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.
Windows Script Execution from Archive
Identifies attempts to execute Jscript/Vbscript files from an archive file. The use of archives is a common delivery method of malicious scripts.
Windows Script Interpreter Executing Process via WMI
Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
Windows Server Update Service Spawning Suspicious Processes
Identifies suspicious processes being spawned by the Windows Server Update Service. This activity may indicate exploitation activity or access to an existing web shell backdoor.
Windows Service Installed via an Unusual Client
Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Windows Subsystem for Linux Distribution Installed
Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.
Windows Subsystem for Linux Enabled via Dism Utility
Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.
Wireless Credential Dumping using Netsh Command
Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.
WMI Incoming Lateral Movement
Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
WPS Office Exploitation via DLL Hijack
Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.