Sigma Rules
57 rules found for "X__Junior (Nextron Systems)"
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Suspicious File Creation Activity From Fake Recycle.Bin Folder
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Potential AVKkid.DLL Sideloading
Detects potential DLL sideloading of "AVKkid.dll"
Potential CCleanerDU.DLL Sideloading
Detects potential DLL sideloading of "CCleanerDU.dll"
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
Potential Goopdate.DLL Sideloading
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
Potential SolidPDFCreator.DLL Sideloading
Detects potential DLL sideloading of "SolidPDFCreator.dll"
Potential Vivaldi_elf.DLL Sideloading
Detects potential DLL sideloading of "vivaldi_elf.dll"
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
New Connection Initiated To Potential Dead Drop Resolver Domain
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Potentially Suspicious Ping/Copy Command Combination
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Firewall Rule Update Via Netsh.EXE
Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
PUA - PingCastle Execution From Potentially Suspicious Parent
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
Suspicious Greedy Compression Using Rar.EXE
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Uncommon Child Processes Of SndVol.exe
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.