Sigma Rules
19 rules found for "Max Altgelt (Nextron Systems)"
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Outgoing Logon with New Credentials
Detects logon events that specify new credentials
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Network Connection Initiated By Eqnedt32.EXE
Detects network connections from the Equation Editor process "eqnedt32.exe".
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Execution Of Non-Existing File
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Suspicious Script Execution From Temp Folder
Detects a suspicious script executions from temporary folder
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)