Sigma Rules
498 rules found for "Florian Roth (Nextron Systems)"
Suspicious Advpack Call Via Rundll32.EXE
Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Rundll32 Execution With Uncommon DLL Extension
Detects the execution of rundll32 with a command line that doesn't contain a common extension
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Script Interpreter Execution From Suspicious Folder
Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp Folder
Detects a suspicious script executions from temporary folder
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Suspicious Userinit Child Process
Detects a suspicious child process of userinit