Sigma Rules
125 rules found for "Florian Roth (Nextron Systems)"
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
ComRAT Network Communication
Detects Turla ComRAT network communication.
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
Fortinet CVE-2021-22123 Exploitation
Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
Exploitation of CVE-2021-26814 in Wazuh
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
Exchange Exploitation CVE-2021-28480
Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
CVE-2021-33766 Exchange ProxyToken Exploitation
Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
CVE-2021-41773 Exploitation Attempt
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Sitecore Pre-Auth RCE CVE-2021-42237
Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287