Sigma Rules
1,405 rules found for "Nextron Systems"
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Suspicious Digital Signature Of AppX Package
Detects execution of AppX packages with known suspicious or malicious signature
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
USB Device Plugged
Detects plugged/unplugged USB devices
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
DiagTrackEoP Default Login Username
Detects the default "UserName" used by the DiagTrackEoP POC
Outgoing Logon with New Credentials
Detects logon events that specify new credentials
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Mimikatz DC Sync
Detects Mimikatz DC sync security events
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720.