Rule Library
Sigma Rules
3 rules found for "Michael Haag"
3,707Total
3,116Detection
451Emerging
137Hunting
Threat Huntlowexperimental
Successful MSIX/AppX Package Installation
Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. While most installations are legitimate, this can help identify unauthorized or suspicious package installations. It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.
Windowsappxdeployment-server
TA0002 · ExecutionT1204.002 · Malicious Filedetection.threat-hunting
Michael Haag+1Mon Nov 03windows
Threat Huntlowtest
Net.EXE Execution
Detects execution of "Net.EXE".
WindowsProcess Creation
TA0007 · DiscoveryT1007 · System Service DiscoveryT1049 · System Network Connections DiscoveryT1018 · Remote System Discovery+10
Michael Haag+2Wed Jan 16windows
Threat Huntmediumtest
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
WindowsProcess Creation
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScriptdetection.threat-hunting
Michael HaagWed Jan 16windows