Sigma Rules
638 rules found for "Florian Roth (Nextron Systems)"
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Scanner PoC for CVE-2019-0708 RDP RCE Vuln
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
ComRAT Network Communication
Detects Turla ComRAT network communication.
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities