Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
Sigma rule (View on GitHub)
1title: Antivirus Relevant File Paths Alerts
2id: c9a88268-0047-4824-ba6e-4d81ce0b907c
3status: test
4description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7author: Florian Roth (Nextron Systems), Arnim Rupp
8date: 2018-09-09
9modified: 2024-07-17
10tags:
11 - attack.resource-development
12 - attack.t1588
13logsource:
14 category: antivirus
15detection:
16 selection_path:
17 Filename|contains:
18 - ':\PerfLogs\'
19 - ':\Temp\'
20 - ':\Users\Default\'
21 - ':\Users\Public\'
22 - ':\Windows\'
23 - '/www/'
24 - '\Client\'
25 - '\inetpub\'
26 - '\tsclient\'
27 - 'apache'
28 - 'nginx'
29 - 'tomcat'
30 - 'weblogic'
31 selection_ext:
32 Filename|endswith:
33 - '.asax'
34 - '.ashx'
35 - '.asmx'
36 - '.asp'
37 - '.aspx'
38 - '.bat'
39 - '.cfm'
40 - '.cgi'
41 - '.chm'
42 - '.cmd'
43 - '.dat'
44 - '.ear'
45 - '.gif'
46 - '.hta'
47 - '.jpeg'
48 - '.jpg'
49 - '.jsp'
50 - '.jspx'
51 - '.lnk'
52 - '.msc'
53 - '.php'
54 - '.pl'
55 - '.png'
56 - '.ps1'
57 - '.psm1'
58 - '.py'
59 - '.pyc'
60 - '.rb'
61 - '.scf'
62 - '.sct'
63 - '.sh'
64 - '.svg'
65 - '.txt'
66 - '.vbe'
67 - '.vbs'
68 - '.war'
69 - '.wll'
70 - '.wsf'
71 - '.wsh'
72 - '.xll'
73 - '.xml'
74 condition: 1 of selection_*
75falsepositives:
76 - Unlikely
77level: high
References
Related rules
- Bitbucket Unauthorized Access To A Resource
- Bitbucket Unauthorized Full Data Export Triggered
- Conti Volume Shadow Listing
- Creation of a Diagcab
- FoggyWeb Backdoor DLL Loading