Windows detections

Windows is a popular endpoint operating system, with over 70% of desktop and laptop computers having Windows installed. With Windows' popularity comes a large attack surface and many different types of threats. Below are a list of signature based detections the Devo Threat Research Team has created to help our customer protect their Windows endpoints from well-known threats.

Detects a potentially malicious Windows Curl execution.

Source table → box.all.win

Detects a Powershell command that could be trying to compile a list of different sensitive files on the host.

Source table → box.all.win

Detects new user accounts that do not match a user-specified naming convention. The `namePattern` selector value should be populated with a regular expression that matches the organization's naming convention.

Source table → box.all.win

The Samlib.dll module is being abused by adversaries, threat actors, and red teamers to access information on SAM objects or access credentials information in DC. Information about the victim's identity can be used during targeting.

Source table → box.all.win

Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials.

Source table → box.all.win