Sigma Rules
498 rules found for "Florian Roth (Nextron Systems)"
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
Windows Webshell Strings
Detects common commands used in Windows webshells
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Backup Catalog Deleted
Detects backup catalog deletions
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
USB Device Plugged
Detects plugged/unplugged USB devices
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Mimikatz DC Sync
Detects Mimikatz DC sync security events
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.