Sigma Rules
5 rules found for "Michael McKinley"
Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Suspicious AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.