Sigma Rules
638 rules found for "Florian Roth (Nextron Systems)"
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Network Connection Initiated To Mega.nz
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Network Communication Initiated To Portmap.IO Domain
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Suspicious Network Connection Binary No CommandLine
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Potentially Suspicious Malware Callback Communication
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Communication To Uncommon Destination Ports
Detects programs that connect to uncommon destination ports
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
HackTool - EfsPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool EfsPotato
WMI Event Consumer Created Named Pipe
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Suspicious PowerShell Download
Detects suspicious PowerShell download command
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command