Antivirus Hacktool Detection

 1title: Antivirus Hacktool Detection
 2id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
 3status: stable
 4description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
 5references:
 6    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
 7    - https://www.nextron-systems.com/?s=antivirus
 8author: Florian Roth (Nextron Systems), Arnim Rupp
 9date: 2021/08/16
10modified: 2023/02/03
11tags:
12    - attack.execution
13    - attack.t1204
14logsource:
15    category: antivirus
16detection:
17    selection:
18        - Signature|startswith:
19              - 'HTOOL'
20              - 'HKTL'
21              - 'SecurityTool'
22              - 'Adfind'
23              - 'ATK/'
24              - 'Exploit.Script.CVE'
25              # - 'FRP.'
26              - 'PWS.'
27              - 'PWSX'
28        - Signature|contains:
29              - 'Hacktool'
30              - 'ATK/'  # Sophos
31              - 'Potato'
32              - 'Rozena'
33              - 'Sbelt'
34              - 'Seatbelt'
35              - 'SecurityTool'
36              - 'SharpDump'
37              - 'Sliver'
38              - 'Splinter'
39              - 'Swrort'
40              - 'Impacket'
41              - 'Koadic'
42              - 'Lazagne'
43              - 'Metasploit'
44              - 'Meterpreter'
45              - 'MeteTool'
46              - 'Mimikatz'
47              - 'Mpreter'
48              - 'Nighthawk'
49              - 'PentestPowerShell'
50              - 'PowerSploit'
51              - 'PowerSSH'
52              - 'PshlSpy'
53              - 'PSWTool'
54              - 'PWCrack'
55              - 'Brutel'
56              - 'BruteR'
57              - 'Cobalt'
58              - 'COBEACON'
59              - 'Cometer'
60              - 'DumpCreds'
61              - 'FastReverseProxy'
62              - 'PWDump'
63    condition: selection
64falsepositives:
65    - Unlikely
66level: high