Sigma Rules
16 rules found for "Michael Haag"
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
PetitPotam Suspicious Kerberos TGT Request
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Potential Credential Dumping Activity Via LSASS
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.