Sigma Rules
957 rules found for "Nasreddine Bencherchali (Nextron Systems)"
Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Potential PowerShell Execution Policy Tampering - ProcCreation
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Suspicious Regsvr32 Execution From Remote Share
Detects REGSVR32.exe to execute DLL hosted on remote shares
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Scripting/CommandLine Process Spawned Regsvr32
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
Remote Access Tool - AnyDesk Piped Password Via CLI
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Remote Access Tool - NetSupport Execution From Unusual Location
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - RURAT Execution From Unusual Location
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
Detects potentially suspicious child processes launched via the ScreenConnect client service.
Remote Access Tool - Simple Help Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Renamed Cloudflared.EXE Execution
Detects the execution of a renamed "cloudflared" binary.
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Visual Studio NodejsTools PressAnyKey Renamed Execution
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Suspicious Advpack Call Via Rundll32.EXE
Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"