
Summary
This detection rule identifies suspicious Windows file path strings present in Uniform Resource Identifiers (URIs). The detection focuses on identifying potential indicators of exfiltration attempts or the use of web shells. Specifically, it looks for query parameters in URIs that contain common Windows paths such as 'C:/Users', 'C:/Program Files', and 'C:/Windows'. The presence of these paths in web requests may suggest that an attacker is trying to interact with the Windows operating system from a web context, possibly aiming to extract sensitive information or execute malicious commands. False positives may arise from legitimate applications that also utilize Windows paths in their operations. This rule is set to a high alert level due to the potential risk associated with such activities.
Categories
- Windows
- Web
- Endpoint
Data Sources
- Web Credential
- Network Traffic
- Web Credential
Created: 2022-06-06