Antivirus Hacktool Detection

Nov 4, 2024 · attack.execution attack.t1204 ·

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Sigma rule (View on GitHub)

 1title: Antivirus Hacktool Detection
 2id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
 3status: stable
 4description: |
 5    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
 6    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.    
 7references:
 8    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
 9    - https://www.nextron-systems.com/?s=antivirus
10author: Florian Roth (Nextron Systems), Arnim Rupp
11date: 2021-08-16
12modified: 2024-11-02
13tags:
14    - attack.execution
15    - attack.t1204
16logsource:
17    category: antivirus
18detection:
19    selection:
20        - Signature|startswith:
21              - 'ATK/'  # Sophos
22              - 'Exploit.Script.CVE'
23              - 'HKTL'
24              - 'HTOOL'
25              - 'PWS.'
26              - 'PWSX'
27              - 'SecurityTool'
28              # - 'FRP.'
29        - Signature|contains:
30              - 'Adfind'
31              - 'Brutel'
32              - 'BruteR'
33              - 'Cobalt'
34              - 'COBEACON'
35              - 'Cometer'
36              - 'DumpCreds'
37              - 'FastReverseProxy'
38              - 'Hacktool'
39              - 'Havoc'
40              - 'Impacket'
41              - 'Keylogger'
42              - 'Koadic'
43              - 'Mimikatz'
44              - 'Nighthawk'
45              - 'PentestPowerShell'
46              - 'Potato'
47              - 'PowerSploit'
48              - 'PowerSSH'
49              - 'PshlSpy'
50              - 'PSWTool'
51              - 'PWCrack'
52              - 'PWDump'
53              - 'Rozena'
54              - 'Rusthound'
55              - 'Sbelt'
56              - 'Seatbelt'
57              - 'SecurityTool'
58              - 'SharpDump'
59              - 'SharpHound'
60              - 'Shellcode'
61              - 'Sliver'
62              - 'Snaffler'
63              - 'SOAPHound'
64              - 'Splinter'
65              - 'Swrort'
66              - 'TurtleLoader'
67    condition: selection
68falsepositives:
69    - Unlikely
70level: high

References

Antivirus Event Analysis Cheat Sheet v1.8.2

The analysis of Antivirus events can be a tedious task in big organizations with hundreds of events per day. Usually security teams fall back to a mode of operation in which they only analyze event...

Read More
You searched for antivirus - Nextron Systems

by Florian Roth | Nov 2, 2024 We've updated our Antivirus Event Analysis Cheat Sheet to version 1.14.0. It includes updates in several sections Many new malware and hack tool signature names More i...

Read More

Antivirus Hacktool Detection

Sigma rule (View on GitHub)

References

Antivirus Event Analysis Cheat Sheet v1.8.2

You searched for antivirus - Nextron Systems

Related rules