Sigma Rules
15 rules found for "Florian Roth (Nextron Systems)"
File Creation Date Changed to Another Year
Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
Network Connection Initiated From Users\Public Folder
Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
LSASS Access From Program In Potentially Suspicious Folder
Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
Uncommon GrantedAccess Flags On LSASS
Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
File Download Via Curl.EXE
Detects file download using curl.exe
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
Potential Data Exfiltration Via Curl.EXE
Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
DLL Call by Ordinal Via Rundll32.EXE
Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
Service Binary in User Controlled Folder
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.