Potential Abuse of Winpty-Agent.Exe for Reconnaissance

Rule Info

Name
Potential Abuse of Winpty-Agent.Exe for Reconnaissance
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential abuse of winpty-agent.exe, a pseudo-terminal utility commonly used by developer tools and remote monitoring software, for executing reconnaissance commands.
Reference
https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations
Date
2026-03-23 00:00:00
Modified
None
Id
9dde799f-e8a3-4410-8931-8abb7a18f0fd
Tags
attack.execution attack.t1059 attack.command-and-control attack.discovery
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022