Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework.
Sigma rule (View on GitHub)
1title: Antivirus Exploitation Framework Detection
2id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
3status: stable
4description: Detects a highly relevant Antivirus alert that reports an exploitation framework.
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
8 - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
9 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
10author: Florian Roth (Nextron Systems), Arnim Rupp
11date: 2018-09-09
12modified: 2024-07-17
13tags:
14 - attack.execution
15 - attack.t1203
16 - attack.command-and-control
17 - attack.t1219
18logsource:
19 category: antivirus
20detection:
21 selection:
22 Signature|contains:
23 - 'Backdoor.Cobalt'
24 - 'Brutel'
25 - 'BruteR'
26 - 'CobaltStr'
27 - 'CobaltStrike'
28 - 'COBEACON'
29 - 'Cometer'
30 - 'Exploit.Script.CVE'
31 - 'IISExchgSpawnCMD'
32 - 'Metasploit'
33 - 'Meterpreter'
34 - 'MeteTool'
35 - 'Mpreter'
36 - 'MsfShell'
37 - 'PowerSploit'
38 - 'Razy'
39 - 'Rozena'
40 - 'Sbelt'
41 - 'Seatbelt'
42 - 'Sliver'
43 - 'Swrort'
44 condition: selection
45falsepositives:
46 - Unlikely
47level: critical
References
Related rules
- Anydesk Temporary Artefact
- Audit CVE Event
- CVE-2021-26858 Exchange Exploitation
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Command Line Execution with Suspicious URL and AppData Strings