Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
Sigma rule (View on GitHub)
1title: Antivirus Hacktool Detection
2id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
3status: stable
4description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
5references:
6 - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
7 - https://www.nextron-systems.com/?s=antivirus
8author: Florian Roth (Nextron Systems), Arnim Rupp
9date: 2021/08/16
10modified: 2023/02/03
11tags:
12 - attack.execution
13 - attack.t1204
14logsource:
15 category: antivirus
16detection:
17 selection:
18 - Signature|startswith:
19 - 'HTOOL'
20 - 'HKTL'
21 - 'SecurityTool'
22 - 'Adfind'
23 - 'ATK/'
24 - 'Exploit.Script.CVE'
25 # - 'FRP.'
26 - 'PWS.'
27 - 'PWSX'
28 - Signature|contains:
29 - 'Hacktool'
30 - 'ATK/' # Sophos
31 - 'Potato'
32 - 'Rozena'
33 - 'Sbelt'
34 - 'Seatbelt'
35 - 'SecurityTool'
36 - 'SharpDump'
37 - 'Sliver'
38 - 'Splinter'
39 - 'Swrort'
40 - 'Impacket'
41 - 'Koadic'
42 - 'Lazagne'
43 - 'Metasploit'
44 - 'Meterpreter'
45 - 'MeteTool'
46 - 'Mimikatz'
47 - 'Mpreter'
48 - 'Nighthawk'
49 - 'PentestPowerShell'
50 - 'PowerSploit'
51 - 'PowerSSH'
52 - 'PshlSpy'
53 - 'PSWTool'
54 - 'PWCrack'
55 - 'Brutel'
56 - 'BruteR'
57 - 'Cobalt'
58 - 'COBEACON'
59 - 'Cometer'
60 - 'DumpCreds'
61 - 'FastReverseProxy'
62 - 'PWDump'
63 condition: selection
64falsepositives:
65 - Unlikely
66level: high
References
Related rules
- Potentially Suspicious WebDAV LNK Execution
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Payload Decoded and Decrypted via Built-in Utilities
- Suspicious WebDAV LNK Execution
- DarkSide Ransomware Pattern