Sigma Rules
1,405 rules found for "Nextron Systems"
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Visual Studio Code Tunnel Remote File Creation
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
Remote DLL Load Via Rundll32.EXE
Detects a remote DLL load event via "rundll32.exe".
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Potential AVKkid.DLL Sideloading
Detects potential DLL sideloading of "AVKkid.dll"
Potential CCleanerDU.DLL Sideloading
Detects potential DLL sideloading of "CCleanerDU.dll"
Potential Chrome Frame Helper DLL Sideloading
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
Potential DLL Sideloading Of DBGHELP.DLL
Detects potential DLL sideloading of "dbghelp.dll"
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Potential Goopdate.DLL Sideloading
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"