Malware Detection Rules¶
Detect malware indicators including command-and-control communication, ransomware behavior, and persistence mechanisms.
8 rules in this category.
Rule Summary¶
| ID | Title | Level | ATT&CK |
|---|---|---|---|
wf-mal-001 | Malicious Behavior Detection | high | T1027 |
wf-mal-002 | Botnet Connection | critical | T1071.001 |
wf-mal-003 | Ransomware Download Indicator | critical | T1486 |
wf-mal-004 | Ransomware Encryption Activity | critical | T1486 |
wf-mal-005 | Malicious Software Detection | high | T1204 |
wf-mal-006 | Blacklisted Process Execution | critical | T1059 |
wf-mal-007 | Threat Event Detection | high | T1204 |
wf-mal-008 | Endpoint Protection Alert | medium | T1027 |
Rule Details¶
Malicious Behavior Detection¶
ID: wf-mal-001
Level: high
Status: stable
Author: WitFoo
Detects events classified as malicious behavior by WitFoo's enrichment engine. This covers a broad range of malware indicators including suspicious process execution, anomalous system calls, and behavioral analysis triggers.
Tags: attack.execution, attack.t1027
Detection Logic
- messageType:
malicious_behavior
Botnet Connection¶
ID: wf-mal-002
Level: critical
Status: stable
Author: WitFoo
Detects connections to known botnet command-and-control infrastructure. WitFoo's threat intelligence enrichment classifies these connections based on IOC matching and behavioral patterns.
Tags: attack.command_and_control, attack.t1071.001
Detection Logic
- messageType:
botnet_connection
Ransomware Download Indicator¶
ID: wf-mal-003
Level: critical
Status: stable
Author: WitFoo
Detects ransomware payload download activity identified by WitFoo's enrichment engine. This is the initial delivery phase of a ransomware attack chain, before encryption begins.
Tags: attack.impact, attack.t1486, attack.initial_access
Detection Logic
- messageType:
ransomware_download
Ransomware Encryption Activity¶
ID: wf-mal-004
Level: critical
Status: stable
Author: WitFoo
Detects active ransomware encryption behavior. This critical alert indicates that ransomware is actively encrypting files on the network. Immediate incident response action is required.
Tags: attack.impact, attack.t1486
Detection Logic
- messageType:
ransomware_encryption
Malicious Software Detection¶
ID: wf-mal-005
Level: high
Status: stable
Author: WitFoo
Detects malicious software identified by endpoint protection platforms (EPP) or endpoint detection and response (EDR) solutions forwarding alerts through WitFoo's artifact ingestion pipeline.
Tags: attack.execution, attack.t1204
Detection Logic
- messageType:
malicious_software
Blacklisted Process Execution¶
ID: wf-mal-006
Level: critical
Status: stable
Author: WitFoo
Detects execution of processes on the organization's blacklist. These are known-bad executables, prohibited tools, or applications that violate security policy.
Tags: attack.execution, attack.t1059
Detection Logic
- messageType:
blacklisted_process
Threat Event Detection¶
ID: wf-mal-007
Level: high
Status: stable
Author: WitFoo
Detects generic threat events identified by security tools forwarded through WitFoo's ingestion pipeline. Covers threats not classified into more specific categories.
Tags: attack.execution, attack.t1204
Detection Logic
- messageType:
threat_event
Endpoint Protection Alert¶
ID: wf-mal-008
Level: medium
Status: stable
Author: WitFoo
Detects alerts forwarded from endpoint protection platforms (EPP/EDR) through WitFoo's artifact pipeline. These include antivirus detections, behavioral blocks, and exploit prevention alerts.
Tags: attack.execution, attack.t1027
Detection Logic
- messageType:
endpoint_protection