Sigma Rules
1,405 rules found for "Nextron Systems"
Important Windows Service Terminated With Error
Detects important or interesting Windows services that got terminated for whatever reason
Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Win Defender Restored Quarantine File
Detects the restoration of files from the defender quarantine
Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
Malicious Driver Load
Detects loading of known malicious drivers via their hash.
Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers.
PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
PUA - System Informer Driver Load
Detects driver load of the System Informer tool
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Vulnerable Driver Load
Detects loading of known vulnerable drivers via their hash.
Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Credential Manager Access By Uncommon Applications
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.