Antivirus Exploitation Framework Detection

calendar Nov 4, 2024 · attack.execution attack.t1203 attack.command-and-control attack.t1219  ·
Share on: linkedin copy

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Sigma rule (View on GitHub)

 1title: Antivirus Exploitation Framework Detection
 2id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
 3status: stable
 4description: |
 5    Detects a highly relevant Antivirus alert that reports an exploitation framework.
 6    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.    
 7references:
 8    - https://www.nextron-systems.com/?s=antivirus
 9    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
10    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
11    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
12author: Florian Roth (Nextron Systems), Arnim Rupp
13date: 2018-09-09
14modified: 2024-11-02
15tags:
16    - attack.execution
17    - attack.t1203
18    - attack.command-and-control
19    - attack.t1219
20logsource:
21    category: antivirus
22detection:
23    selection:
24        Signature|contains:
25            - 'Backdoor.Cobalt'
26            - 'Brutel'
27            - 'BruteR'
28            - 'CobaltStr'
29            - 'CobaltStrike'
30            - 'COBEACON'
31            - 'Cometer'
32            - 'Exploit.Script.CVE'
33            - 'IISExchgSpawnCMD'
34            - 'Metasploit'
35            - 'Meterpreter'
36            - 'MeteTool'
37            - 'Mpreter'
38            - 'MsfShell'
39            - 'PowerSploit'
40            - 'Razy'
41            - 'Rozena'
42            - 'Sbelt'
43            - 'Seatbelt'
44            - 'Sliver'
45            - 'Swrort'
46    condition: selection
47falsepositives:
48    - Unlikely
49level: critical

References

Related rules

to-top