Sigma Rules
1,774 rules found for "Nextron Systems"
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
COLDSTEEL RAT Cleanup Command Execution
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
COLDSTEEL RAT Service Persistence Execution
Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Qakbot Regsvr32 Calc Pattern
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
Potential Qakbot Rundll32 Execution
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Qakbot Uninstaller Execution
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
SNAKE Malware Installer Name Indicators
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Installation Binary Indicator
Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp ICO C2 File Download
Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Diamond Sleet APT Scheduled Task Creation
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Potential Operation Triangulation C2 Beaconing Activity - DNS
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential Operation Triangulation C2 Beaconing Activity - Proxy
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB