Sigma Rules
1,405 rules found for "Nextron Systems"
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Renamed PAExec Execution
Detects execution of renamed version of PAExec. Often used by attackers
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Visual Studio NodejsTools PressAnyKey Renamed Execution
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Renamed PsExec Service Execution
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Renamed Sysinternals Sdelete Execution
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Suspicious Advpack Call Via Rundll32.EXE
Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Rundll32 Execution With Uncommon DLL Extension
Detects the execution of rundll32 with a command line that doesn't contain a common extension
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Stop Windows Service Via Sc.EXE
Detects the stopping of a Windows service via the "sc.exe" utility
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.