Document toolboxDocument toolbox

Windows detections

Windows is a popular endpoint operating system, with over 70% of desktop and laptop computers having windows installed. With Windows' popularity comes a large attack surface and many different types of threats. Below are a list of signature based detections the Devo Threat Research Team has created to help our customer protect their Windows endpoints from well-known threats.

Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

Source table → box.all.win

Detects the use of reg.exe to access Windows Registry SAM, system, or security hives containing credentials. Adversaries may use this technique to export registry hives for offline credential-access attacks.

Source table → box.all.win

Detects the use of nbtstat.exe or arp.exe that may be used to attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Source table → box.all.win

Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments.

Source table → box.all.win

Multiple Windows account lockouts were detected on the same endpoint.

Detects multiple accounts locked out on a single Windows endpoint within a short period. This may indicate an attacker has limited knowledge of valid accounts and is attempting password spraying.

Source table → box.all.win