Sigma Rules
1,405 rules found for "Nextron Systems"
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers