Windows detections

Windows is a popular endpoint operating system, with over 70% of desktop and laptop computers having windows installed. With Windows' popularity comes a large attack surface and many different types of threats. Below are a list of signature based detections the Devo Threat Research Team has created to help our customer protect their Windows endpoints from well-known threats.

Monitors for changes to lsass.exe-related registry keys that are often edited to enable or obfuscate activity related to dumping the process.

Source table → box.all.win

Detects the use of reg.exe to access Windows Registry SAM, system, or security hives containing credentials. Adversaries may use this technique to export registry hives for offline credential-access attacks.

Source table → box.all.win

Detects the use of nbtstat.exe or arp.exe that may be used to attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Source table → box.all.win

Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments.

Source table → box.all.win

Multiple Windows account lockouts were detected on the same endpoint.

Source table → box.all.win