Antivirus Relevant File Paths Alerts

Detects an Antivirus alert in a highly relevant file path or with a relevant file name.

Sigma rule (View on GitHub)

 1title: Antivirus Relevant File Paths Alerts
 2id: c9a88268-0047-4824-ba6e-4d81ce0b907c
 3status: test
 4description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
 5references:
 6    - https://www.nextron-systems.com/?s=antivirus
 7author: Florian Roth (Nextron Systems), Arnim Rupp
 8date: 2018-09-09
 9modified: 2024-07-17
10tags:
11    - attack.resource-development
12    - attack.t1588
13logsource:
14    category: antivirus
15detection:
16    selection_path:
17        Filename|contains:
18            - ':\PerfLogs\'
19            - ':\Temp\'
20            - ':\Users\Default\'
21            - ':\Users\Public\'
22            - ':\Windows\'
23            - '/www/'
24            - '\Client\'
25            - '\inetpub\'
26            - '\tsclient\'
27            - 'apache'
28            - 'nginx'
29            - 'tomcat'
30            - 'weblogic'
31    selection_ext:
32        Filename|endswith:
33            - '.asax'
34            - '.ashx'
35            - '.asmx'
36            - '.asp'
37            - '.aspx'
38            - '.bat'
39            - '.cfm'
40            - '.cgi'
41            - '.chm'
42            - '.cmd'
43            - '.dat'
44            - '.ear'
45            - '.gif'
46            - '.hta'
47            - '.jpeg'
48            - '.jpg'
49            - '.jsp'
50            - '.jspx'
51            - '.lnk'
52            - '.msc'
53            - '.php'
54            - '.pl'
55            - '.png'
56            - '.ps1'
57            - '.psm1'
58            - '.py'
59            - '.pyc'
60            - '.rb'
61            - '.scf'
62            - '.sct'
63            - '.sh'
64            - '.svg'
65            - '.txt'
66            - '.vbe'
67            - '.vbs'
68            - '.war'
69            - '.wll'
70            - '.wsf'
71            - '.wsh'
72            - '.xll'
73            - '.xml'
74    condition: 1 of selection_*
75falsepositives:
76    - Unlikely
77level: high

References

Related rules

to-top