Sigma Rules
1,774 rules found for "Nextron Systems"
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Potential OWASSRF Exploitation Attempt - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Potential OWASSRF Exploitation Attempt - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
Potential CVE-2022-46169 Exploitation Attempt
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
Hermetic Wiper TG Process Patterns
Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
MERCURY APT Activity
Detects suspicious command line patterns seen being used by MERCURY APT
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Potential CVE-2023-25157 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
Potential CVE-2023-25717 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
Potential Information Disclosure CVE-2023-43261 Exploitation - Web
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.