Sigma Rules
957 rules found for "Nasreddine Bencherchali (Nextron Systems)"
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Potential OWASSRF Exploitation Attempt - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Potential OWASSRF Exploitation Attempt - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.