Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

15 rules found for "Tobias Michalski"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

MSExchange Transport Agent Installation - Builtin

Detects the Installation of a Exchange Transport Agent

Windowsmsexchange-management
TA0003 · PersistenceT1505.002 · Transport Agent
Tobias MichalskiTue Jun 08windows
Detectionhightest

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

Windowsmsexchange-management
TA0003 · PersistenceT1505.002 · Transport Agent
Tobias MichalskiTue Jun 08windows
Detectionhightest

Potential Persistence Via Outlook Form

Detects the creation of a new Outlook form which can contain malicious code

WindowsFile Event
TA0003 · PersistenceT1137.003 · Outlook Forms
Tobias MichalskiThu Jun 10windows
Detectionhightest

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

WindowsPowerShell Script
TA0002 · ExecutionTA0007 · DiscoveryT1482 · Domain Trust DiscoveryT1087 · Account Discovery+6
Sean Metcalf+10Sun Mar 05windows
Detectionhightest

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Max Altgelt (Nextron Systems)+1Mon Aug 09windows
Detectionhightest

Copy From VolumeShadowCopy Via Cmd.EXE

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recovery
Max Altgelt (Nextron Systems)+1Mon Aug 09windows
Detectionmediumtest

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

WindowsProcess Creation
TA0003 · PersistenceT1505.002 · Transport Agent
Tobias MichalskiTue Jun 08windows
Detectionhightest

Suspicious NTLM Authentication on the Printer Spooler Service

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

WindowsProcess Creation
TA0004 · Privilege EscalationTA0006 · Credential AccessT1212 · Exploitation for Credential Access
Elastic Security+1Wed May 04windows
Detectionhightest

Sensitive File Access Via Volume Shadow Copy Backup

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recovery
Max Altgelt (Nextron Systems)+1Mon Aug 09windows
Detectionmediumtest

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1564 · Hide ArtifactsT1112 · Modify Registry
Tobias MichalskiThu Feb 24windows
Detectionhightest

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

WindowsRegistry Set
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registry
Tobias Michalski+2Wed Jun 09windows
Detectionhightest

Potential Persistence Via Outlook Today Page

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

WindowsRegistry Set
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registry
Tobias Michalski+2Thu Jun 10windows
Emerging Threathightest

ADSelfService Exploitation

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Web Server Log
cve.2021-40539detection.emerging-threatsTA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Tobias Michalski+1Mon Sep 202021
Emerging Threathightest

Conti Volume Shadow Listing

Detects a command used by conti to find volume shadow backups

WindowsProcess Creation
T1587.001 · MalwareTA0042 · Resource Developmentdetection.emerging-threats
Max Altgelt (Nextron Systems)+1Mon Aug 092021
Emerging Threathightest

Conti NTDS Exfiltration Command

Detects a command used by conti to exfiltrate NTDS

WindowsProcess Creation
TA0009 · CollectionT1560 · Archive Collected Datadetection.emerging-threats
Max Altgelt (Nextron Systems)+1Mon Aug 092021