Sigma Rules
155 rules found for "Swachchhanda Shrawan Poudel (Nextron Systems)"
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Successful MSIX/AppX Package Installation
Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. While most installations are legitimate, this can help identify unauthorized or suspicious package installations. It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection. However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity. When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load. Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts. Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
Process Execution From WebDAV Share
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.