Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

498 rules found for "Florian Roth (Nextron Systems)"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1112 · Modify Registry
Florian Roth (Nextron Systems)+2Tue Mar 20windows
Detectioncriticaltest

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

WindowsRegistry Event
TA0006 · Credential AccessT1003.001 · LSASS Memory
Florian Roth (Nextron Systems)Fri Feb 26windows
Detectioncriticaltest

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.008 · Accessibility Features2014-11-003 · CAR 2014-11-003+1
Florian Roth (Nextron Systems)+2Thu Mar 15windows
Detectionhightest

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Florian Roth (Nextron Systems)+1Tue Oct 01windows
Detectionhightest

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

WindowsRegistry Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1547.008 · LSASS Driver
Florian Roth (Nextron Systems)Wed Oct 16windows
Detectionhightest

Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Florian Roth (Nextron Systems)+1Mon May 02windows
Detectionhightest

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Florian Roth (Nextron Systems)Mon Jul 04windows
Detectionhightest

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+1
Florian Roth (Nextron Systems)Mon May 08windows
Detectionhightest

Potential Persistence Via GlobalFlags

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1546.012 · Image File Execution Options Injection+1
Karneades+2Wed Apr 11windows
Detectionmediumtest

Suspicious PowerShell In Registry Run Keys

Detects potential PowerShell commands or code within registry run keys

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
François Hubaut+1Thu Mar 17windows
Detectionmediumtest

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

WindowsRegistry Set
TA0042 · Resource DevelopmentT1588.002 · Tool
Florian Roth (Nextron Systems)Sat Oct 12windows
Detectionhightest

Suspicious Printer Driver Empty Manufacturer

Detects a suspicious printer driver installation with an empty Manufacturer value

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+1
Florian Roth (Nextron Systems)Wed Jul 01windows
Detectionhightest

Registry Persistence via Explorer Run Key

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Florian Roth (Nextron Systems)+1Wed Jul 18windows
Detectionhighexperimental

New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Florian Roth (Nextron Systems)+3Sat Aug 25windows
Detectionhightest

UAC Bypass via Event Viewer

Detects UAC bypass method using Windows event viewer

WindowsRegistry Set
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control2019-04-001 · CAR 2019-04-001
Florian Roth (Nextron Systems)Sun Mar 19windows
Detectionhightest

VBScript Payload Stored in Registry

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Florian Roth (Nextron Systems)Fri Mar 05windows
Detectionhightest

Suspicious Encoded Scripts in a WMI Consumer

Detects suspicious encoded payloads in WMI Event Consumers

WindowsWMI Event
TA0004 · Privilege EscalationTA0002 · ExecutionT1047 · Windows Management InstrumentationTA0003 · Persistence+1
Florian Roth (Nextron Systems)Wed Sep 01windows
Detectionhightest

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

WindowsWMI Event
TA0002 · ExecutionT1059.005 · Visual Basic
Florian Roth (Nextron Systems)+1Mon Apr 15windows
11011