Skip to content

new: Remote Management Tool - Ninite Execution From Suspicious Context & improve: End User Consent To Application - context, references, FP guidance#6079

Open
Lorygold wants to merge 3 commits into
SigmaHQ:masterfrom
Lorygold:master

Conversation

@Lorygold

@Lorygold Lorygold commented Jun 23, 2026

Copy link
Copy Markdown

Summary of the Pull Request

Added Remote Management Tool - Ninite Execution From Suspicious Context, which is a deployment tool abused for silent software installation (T1072) and as a remote access foothold (T1219), and that the rule uses suspicious provenance to contain false positives typical of environments using Ninite legitimately.

Updated End User Consent with context, references, FP guidance`
The rule fires on every end-user consent, which is expected behaviour but leaves the analyst without context. This enriches the description to explain the illicit consent grant (consent phishing) threat model behind the event, adds the two authoritative Microsoft detection and mitigation references, replaces the empty "Unknown" false positive entry with concrete tuning guidance, and clarifies the title. No detection logic change: the high-fidelity new-terms logic cannot be expressed in stock Sigma and is documented as a SIEM-layer responsibility.

Changelog

new: Remote Management Tool - Ninite Execution From Suspicious Context
update: End User Consent

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jun 23, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @Lorygold 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

If you want to engage more with the community for official support, general discussions or announcements:

👉 Join our Discord server

@Lorygold Lorygold changed the title new: Remote Management Tool - Ninite Execution From Suspicious Context new: Remote Management Tool - Ninite Execution From Suspicious Context & improve: End User Consent To Application - context, references, FP guidance Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant