Sigma Rules
1,774 rules found for "Nextron Systems"
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Registry Modification Attempt Via VBScript
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Visual Studio Code Tunnel Execution
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Shell Execution
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Service Installation
Detects the installation of VsCode tunnel (code-tunnel) as a service.
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
Wab Execution From Non Default Location
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child Processes
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Potential Credential Dumping Via WER
Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Suspicious Execution Location Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
Suspicious File Download From IP Via Wget.EXE
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
Suspicious File Download From File Sharing Domain Via Wget.EXE
Detects potentially suspicious file downloads from file sharing domains using wget.exe
Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Suspicious Where Execution
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Enumerate All Information With Whoami.EXE
Detects the execution of "whoami.exe" with the "/all" flag
Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Group Membership Reconnaissance Via Whoami.EXE
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Whoami.EXE Execution With Output Option
Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
Whoami.EXE Execution Anomaly
Detects the execution of whoami.exe with suspicious parent processes.
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Suspicious WindowsTerminal Child Processes
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Winrar Compressing Dump Files
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
WinRAR Execution in Non-Standard Folder
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.