Rule Library
Sigma Rules
3 rules found for "Marius Rothenbücher"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhighexperimental
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Microsoft 365audit
TA0004 · Privilege EscalationTA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense Evasion+1
Josh Nickels+1Wed Jan 08cloud
Detectionmediumtest
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Windowssecurity
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1484.001 · Group Policy Modification
Elastic Security+2Wed Sep 04windows
Detectionmediumtest
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Windowssecurity
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1484.001 · Group Policy Modification+1
Elastic Security+2Fri Sep 06windows