Sigma Rules
1,405 rules found for "Nextron Systems"
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
Windows Webshell Strings
Detects common commands used in Windows webshells
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Backup Catalog Deleted
Detects backup catalog deletions
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
MSSQL SPProcoption Set
Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
MSSQL XPCmdshell Suspicious Execution
Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
MSSQL XPCmdshell Option Change
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages