Antivirus Exploitation Framework Detection

Detects a highly relevant Antivirus alert that reports an exploitation framework.

Sigma rule (View on GitHub)

 1title: Antivirus Exploitation Framework Detection
 2id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
 3status: stable
 4description: Detects a highly relevant Antivirus alert that reports an exploitation framework.
 5references:
 6    - https://www.nextron-systems.com/?s=antivirus
 7    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
 8    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
 9    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
10author: Florian Roth (Nextron Systems), Arnim Rupp
11date: 2018-09-09
12modified: 2024-07-17
13tags:
14    - attack.execution
15    - attack.t1203
16    - attack.command-and-control
17    - attack.t1219
18logsource:
19    category: antivirus
20detection:
21    selection:
22        Signature|contains:
23            - 'Backdoor.Cobalt'
24            - 'Brutel'
25            - 'BruteR'
26            - 'CobaltStr'
27            - 'CobaltStrike'
28            - 'COBEACON'
29            - 'Cometer'
30            - 'Exploit.Script.CVE'
31            - 'IISExchgSpawnCMD'
32            - 'Metasploit'
33            - 'Meterpreter'
34            - 'MeteTool'
35            - 'Mpreter'
36            - 'MsfShell'
37            - 'PowerSploit'
38            - 'Razy'
39            - 'Rozena'
40            - 'Sbelt'
41            - 'Seatbelt'
42            - 'Sliver'
43            - 'Swrort'
44    condition: selection
45falsepositives:
46    - Unlikely
47level: critical

References

Related rules

to-top