Rule Library

Sigma Rules

3 rules found for "andrewdanis"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Windows LAPS Credential Dump From Entra ID

Detects when an account dumps the LAPS password from Entra ID.

Azureauditlogs

TA0004 · Privilege EscalationTA0003 · PersistenceT1098.005 · Device Registration

andrewdanisWed Jun 26cloud

Detectionhighexperimental

Suspicious BitLocker Access Agent Update Utility Execution

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

WindowsProcess Creation

TA0005 · Defense EvasionT1218 · System Binary Proxy ExecutionTA0008 · Lateral MovementT1021.003 · Distributed Component Object Model

andrewdanis+1Sat Oct 18windows

Detectionhighexperimental

Suspicious Speech Runtime Binary Child Process

Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.

WindowsProcess Creation

TA0005 · Defense EvasionTA0008 · Lateral MovementT1021.003 · Distributed Component Object ModelT1218 · System Binary Proxy Execution

andrewdanisThu Oct 23windows