Sigma Rules
1,405 rules found for "Nextron Systems"
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
Potential Persistence Via AutodialDLL
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Potential Persistence Via CHM Helper DLL
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Register New IFiltre For Persistence
Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
Potential Persistence Via LSA Extensions
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Potential Persistence Via Mpnotify
Detects when an attacker register a new SIP provider for persistence and defense evasion
Potential Persistence Via MyComputer Registry Keys
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
Potential Persistence Via DLLPathOverride
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
Usage of Renamed Sysinternals Tools - RegistrySet
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
ETW Logging Disabled For rpcrt4.dll
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Suspicious Keyboard Layout Load
Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
New RUN Key Pointing to Suspicious Folder
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer