Antivirus Relevant File Paths Alerts

calendar Nov 4, 2024 · attack.resource-development attack.t1588  ·
Share on: linkedin copy

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Sigma rule (View on GitHub)

 1title: Antivirus Relevant File Paths Alerts
 2id: c9a88268-0047-4824-ba6e-4d81ce0b907c
 3status: test
 4description: |
 5    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
 6    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.    
 7references:
 8    - https://www.nextron-systems.com/?s=antivirus
 9author: Florian Roth (Nextron Systems), Arnim Rupp
10date: 2018-09-09
11modified: 2024-11-02
12tags:
13    - attack.resource-development
14    - attack.t1588
15logsource:
16    category: antivirus
17detection:
18    selection_path:
19        Filename|contains:
20            - ':\PerfLogs\'
21            - ':\Temp\'
22            - ':\Users\Default\'
23            - ':\Users\Public\'
24            - ':\Windows\'
25            - '/www/'
26            # - '\Client\'
27            - '\inetpub\'
28            - '\tsclient\'
29            - 'apache'
30            - 'nginx'
31            - 'tomcat'
32            - 'weblogic'
33    selection_ext:
34        Filename|endswith:
35            - '.asax'
36            - '.ashx'
37            - '.asmx'
38            - '.asp'
39            - '.aspx'
40            - '.bat'
41            - '.cfm'
42            - '.cgi'
43            - '.chm'
44            - '.cmd'
45            - '.dat'
46            - '.ear'
47            - '.gif'
48            - '.hta'
49            - '.jpeg'
50            - '.jpg'
51            - '.jsp'
52            - '.jspx'
53            - '.lnk'
54            - '.msc'
55            - '.php'
56            - '.pl'
57            - '.png'
58            - '.ps1'
59            - '.psm1'
60            - '.py'
61            - '.pyc'
62            - '.rb'
63            - '.scf'
64            - '.sct'
65            - '.sh'
66            - '.svg'
67            - '.txt'
68            - '.vbe'
69            - '.vbs'
70            - '.war'
71            - '.wll'
72            - '.wsf'
73            - '.wsh'
74            - '.xll'
75            - '.xml'
76    condition: 1 of selection_*
77falsepositives:
78    - Unlikely
79level: high

References

Related rules

to-top