Sigma Rules
498 rules found for "Florian Roth (Nextron Systems)"
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
NTFS Vulnerability Exploitation
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
HackTool Service Registration or Execution
Detects installation or execution of services
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Suspicious Service Installation
Detects suspicious service installation commands
Uncommon Service Installation Image Path
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
PUA - System Informer Driver Load
Detects driver load of the System Informer tool
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NPPSpy Hacktool Usage
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials