Sigma Rules
1,405 rules found for "Nextron Systems"
HackTool - DiagTrackEoP Default Named Pipe
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
HackTool - EfsPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool EfsPotato
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
PUA - RemCom Default Named Pipe
Detects default RemCom pipe creation
WMI Event Consumer Created Named Pipe
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
PsExec Tool Execution From Suspicious Locations - PipeName
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Suspicious PowerShell Download
Detects suspicious PowerShell download command
Zip A Folder With PowerShell For Staging In Temp - PowerShell
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
HackTool - Evil-WinRm Execution - PowerShell Module
Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command
Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Potential AMSI Bypass Script Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Potential Data Exfiltration Via Audio File
Detects potential exfiltration attempt via audio file using PowerShell
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Malicious PowerShell Keywords
Detects keywords from well-known PowerShell exploitation frameworks
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
DMSA Link Attributes Modified
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt