Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework
Sigma rule (View on GitHub)
1title: Antivirus Exploitation Framework Detection
2id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
3status: stable
4description: Detects a highly relevant Antivirus alert that reports an exploitation framework
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
8 - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
9 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
10author: Florian Roth (Nextron Systems), Arnim Rupp
11date: 2018/09/09
12modified: 2023/01/13
13tags:
14 - attack.execution
15 - attack.t1203
16 - attack.command_and_control
17 - attack.t1219
18logsource:
19 category: antivirus
20detection:
21 selection:
22 Signature|contains:
23 - 'MeteTool'
24 - 'MPreter'
25 - 'Meterpreter'
26 - 'Metasploit'
27 - 'PowerSploit'
28 - 'CobaltStrike'
29 - 'BruteR'
30 - 'Brutel'
31 - 'Swrort'
32 - 'Rozena'
33 - 'Backdoor.Cobalt'
34 - 'CobaltStr'
35 - 'COBEACON'
36 - 'Cometer'
37 - 'Razy'
38 - 'IISExchgSpawnCMD'
39 - 'Exploit.Script.CVE'
40 - 'Seatbelt'
41 - 'Sbelt'
42 - 'Sliver'
43 condition: selection
44fields:
45 - FileName
46 - User
47falsepositives:
48 - Unlikely
49level: critical
References
-
by Florian Roth | Jan 20, 2023 We've updated our Antivirus Event Analysis Cheat Sheet to version 1.12.0. It includes updates in several sections New signatures for PUA like FRP and Adfind Signature...
Read More -
-
-
Related rules
- Suspicious HWP Sub Processes
- TeamViewer Remote Session
- Anydesk Temporary Artefact
- GoToAssist Temporary Installation Artefact
- Installation of TeamViewer Desktop