Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
Sigma rule (View on GitHub)
1title: Antivirus Hacktool Detection
2id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
3status: stable
4description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
5references:
6 - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
7 - https://www.nextron-systems.com/?s=antivirus
8author: Florian Roth (Nextron Systems), Arnim Rupp
9date: 2021-08-16
10modified: 2024-07-17
11tags:
12 - attack.execution
13 - attack.t1204
14logsource:
15 category: antivirus
16detection:
17 selection:
18 - Signature|startswith:
19 - 'Adfind'
20 - 'ATK/'
21 - 'Exploit.Script.CVE'
22 - 'HKTL'
23 - 'HTOOL'
24 - 'PWS.'
25 - 'PWSX'
26 - 'SecurityTool'
27 # - 'FRP.'
28 - Signature|contains:
29 - 'Adfind'
30 - 'ATK/' # Sophos
31 - 'Brutel'
32 - 'BruteR'
33 - 'Cobalt'
34 - 'COBEACON'
35 - 'Cometer'
36 - 'DumpCreds'
37 - 'FastReverseProxy'
38 - 'Hacktool'
39 - 'Impacket'
40 - 'Keylogger'
41 - 'Koadic'
42 - 'Lazagne'
43 - 'Mimikatz'
44 - 'Nighthawk'
45 - 'PentestPowerShell'
46 - 'Potato'
47 - 'PowerSploit'
48 - 'PowerSSH'
49 - 'PshlSpy'
50 - 'PSWTool'
51 - 'PWCrack'
52 - 'PWDump'
53 - 'Rozena'
54 - 'Sbelt'
55 - 'Seatbelt'
56 - 'SecurityTool'
57 - 'SharpDump'
58 - 'Shellcode'
59 - 'Sliver'
60 - 'Splinter'
61 - 'Swrort'
62 - 'TurtleLoader'
63 condition: selection
64falsepositives:
65 - Unlikely
66level: high
References
Related rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- DarkSide Ransomware Pattern
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Snatch Ransomware Activity
- Potentially Suspicious WebDAV LNK Execution