Sigma Rules
957 rules found for "Nasreddine Bencherchali (Nextron Systems)"
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
HackTool - GMER Rootkit Detector and Remover Execution
Detects the execution GMER tool based on image and hash fields.
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
HackTool - RemoteKrbRelay Execution
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - LocalPotato Execution
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
HackTool - PCHunter Execution
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - PowerTool Execution
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
HackTool - Quarks PwDump Execution
Detects usage of the Quarks PwDump tool via commandline arguments
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SharpChisel Execution
Detects usage of the Sharp Chisel via the commandline arguments
HackTool - SharpDPAPI Execution
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
HackTool - SharpWSUS/WSUSpendu Execution
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
File Download And Execution Via IEExec.EXE
Detects execution of the IEExec utility to download and execute files
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
C# IL Code Compilation Via Ilasm.EXE
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
ImagingDevices Unusual Parent/Child Processes
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Rebuild Performance Counter Values Via Lodctr.EXE
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Use of OpenConsole
Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
REGISTER_APP.VBS Proxy Execution
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
Use of Scriptrunner.exe
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Use of VSIISExeLauncher.exe
The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries