Sigma Rules
139 rules found for "Nasreddine Bencherchali (Nextron Systems)"
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Potential OWASSRF Exploitation Attempt - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Potential OWASSRF Exploitation Attempt - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
Potential CVE-2022-46169 Exploitation Attempt
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Potential CVE-2023-25157 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
Potential CVE-2023-25717 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874