Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation/
Windows AppX Deployment Unsigned Package Installation | Detection.FYI
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
installation detection fyiwindowsappxdeploymentunsigned
https://detection.fyi/sigmahq/sigma/unsupported/windows/driver_load_tap_driver_installation/
Tap Driver Installation | Detection.FYI
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
installation detection fyitapdriver
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent/
MSExchange Transport Agent Installation | Detection.FYI
Detects the Installation of a Exchange Transport Agent
installation detection fyitransportagent
https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install/
Meterpreter or Cobalt Strike Getsystem Service Installation - Security | Detection.FYI
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
cobalt strikeservice installationsecurity detectionmeterpretergetsystem
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages/
Unsigned AppX Installation Attempt Using Add-AppxPackage | Detection.FYI
Detects usage of the
using adddetection fyiunsignedappxinstallation
https://detection.fyi/sigmahq/sigma/windows/builtin/system/service_control_manager/win_system_service_install_uncommon/
Uncommon Service Installation Image Path | Detection.FYI
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, …
service installationdetection fyiuncommonimagepath