Sigma Rules
1,774 rules found for "Nextron Systems"
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
PowerShell ShellCode
Detects Base64 encoded Shellcode
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Potential PowerShell Obfuscation Using Character Join
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Suspicious TCP Tunnel Via PowerShell Script
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
PowerShell Write-EventLog Usage
Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Registry Modification Attempt Via VBScript - PowerShell
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
WMIC Unquoted Services Path Lookup - PowerShell
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.