Sigma Rules
638 rules found for "Florian Roth (Nextron Systems)"
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Finger.EXE Execution
Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
HackTool - CoercedPotato Execution
Detects the use of CoercedPotato, a tool for privilege escalation
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Process Patterns
Detects suspicious process patterns found in logs when CrackMapExec is used
HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
HackTool - Empire PowerShell Launch Parameters
Detects suspicious powershell command line parameters used in Empire
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Htran/NATBypass Execution
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
HackTool - KrbRelay Execution
Detects the use of KrbRelay, a Kerberos relaying tool
HackTool - KrbRelayUp Execution
Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
HackTool - PCHunter Execution
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
HackTool - PPID Spoofing SelectMyParent Tool Execution
Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
HackTool - SharpEvtMute Execution
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpLdapWhoami Execution
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service