Antivirus Hacktool Detection

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.

Sigma rule (View on GitHub)

 1title: Antivirus Hacktool Detection
 2id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
 3status: stable
 4description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
 5references:
 6    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
 7    - https://www.nextron-systems.com/?s=antivirus
 8author: Florian Roth (Nextron Systems), Arnim Rupp
 9date: 2021-08-16
10modified: 2024-07-17
11tags:
12    - attack.execution
13    - attack.t1204
14logsource:
15    category: antivirus
16detection:
17    selection:
18        - Signature|startswith:
19              - 'Adfind'
20              - 'ATK/'
21              - 'Exploit.Script.CVE'
22              - 'HKTL'
23              - 'HTOOL'
24              - 'PWS.'
25              - 'PWSX'
26              - 'SecurityTool'
27              # - 'FRP.'
28        - Signature|contains:
29              - 'Adfind'
30              - 'ATK/'  # Sophos
31              - 'Brutel'
32              - 'BruteR'
33              - 'Cobalt'
34              - 'COBEACON'
35              - 'Cometer'
36              - 'DumpCreds'
37              - 'FastReverseProxy'
38              - 'Hacktool'
39              - 'Impacket'
40              - 'Keylogger'
41              - 'Koadic'
42              - 'Lazagne'
43              - 'Mimikatz'
44              - 'Nighthawk'
45              - 'PentestPowerShell'
46              - 'Potato'
47              - 'PowerSploit'
48              - 'PowerSSH'
49              - 'PshlSpy'
50              - 'PSWTool'
51              - 'PWCrack'
52              - 'PWDump'
53              - 'Rozena'
54              - 'Sbelt'
55              - 'Seatbelt'
56              - 'SecurityTool'
57              - 'SharpDump'
58              - 'Shellcode'
59              - 'Sliver'
60              - 'Splinter'
61              - 'Swrort'
62              - 'TurtleLoader'
63    condition: selection
64falsepositives:
65    - Unlikely
66level: high

References

Related rules

to-top