Sigma Rules
139 rules found for "Nasreddine Bencherchali (Nextron Systems)"
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
Potential Information Disclosure CVE-2023-43261 Exploitation - Web
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
COLDSTEEL RAT Cleanup Command Execution
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Qakbot Regsvr32 Calc Pattern
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
SNAKE Malware Installer Name Indicators
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Installation Binary Indicator
Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp ICO C2 File Download
Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT