Sigma Rules
125 rules found for "Florian Roth (Nextron Systems)"
Possible Exploitation of Exchange RCE CVE-2021-42321
Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
Grafana Path Traversal Exploitation CVE-2021-43798
Detects a successful Grafana path traversal exploitation
Log4j RCE CVE-2021-44228 Generic
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
Log4j RCE CVE-2021-44228 in Fields
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
Exchange ProxyShell Pattern
Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
SonicWall SSL/VPN Jarrewrite Exploitation
Detects exploitation attempts of the SonicWall Jarrewrite Exploit
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
FoggyWeb Backdoor DLL Loading
Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Hermetic Wiper TG Process Patterns
Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
MERCURY APT Activity
Detects suspicious command line patterns seen being used by MERCURY APT
Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Qakbot Uninstaller Execution
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
Potential Operation Triangulation C2 Beaconing Activity - DNS
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential Operation Triangulation C2 Beaconing Activity - Proxy
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB