Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name
Sigma rule (View on GitHub)
1title: Antivirus Relevant File Paths Alerts
2id: c9a88268-0047-4824-ba6e-4d81ce0b907c
3status: test
4description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7author: Florian Roth (Nextron Systems), Arnim Rupp
8date: 2018/09/09
9modified: 2023/10/23
10tags:
11 - attack.resource_development
12 - attack.t1588
13logsource:
14 category: antivirus
15detection:
16 selection_path:
17 Filename|contains:
18 # could be startswith, if there is a better backend handling
19 - ':\Windows\'
20 - ':\Temp\'
21 - ':\PerfLogs\'
22 - ':\Users\Public\'
23 - ':\Users\Default\'
24 # true 'contains' matches:
25 - '\Client\'
26 - '\tsclient\'
27 - '\inetpub\'
28 - '/www/'
29 - 'apache'
30 - 'tomcat'
31 - 'nginx'
32 - 'weblogic'
33 selection_ext:
34 Filename|endswith:
35 - '.asax'
36 - '.ashx'
37 - '.asmx'
38 - '.asp'
39 - '.aspx'
40 - '.bat'
41 - '.cfm'
42 - '.cgi'
43 - '.chm'
44 - '.cmd'
45 - '.dat'
46 - '.ear'
47 - '.gif'
48 - '.hta'
49 - '.jpeg'
50 - '.jpg'
51 - '.jsp'
52 - '.jspx'
53 - '.lnk'
54 - '.php'
55 - '.pl'
56 - '.png'
57 - '.ps1'
58 - '.psm1'
59 - '.py'
60 - '.pyc'
61 - '.rb'
62 - '.scf'
63 - '.sct'
64 - '.sh'
65 - '.svg'
66 - '.txt'
67 - '.vbe'
68 - '.vbs'
69 - '.war'
70 - '.wsf'
71 - '.wsh'
72 - '.xml'
73 condition: 1 of selection_*
74fields:
75 - Signature
76 - User
77falsepositives:
78 - Unlikely
79level: high
References
-
by Florian Roth | Jan 20, 2023 We've updated our Antivirus Event Analysis Cheat Sheet to version 1.12.0. It includes updates in several sections New signatures for PUA like FRP and Adfind Signature...
Read More
Related rules
- Relevant Anti-Virus Event
- Linux HackTool Execution
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Suspicious Word Cab File Write CVE-2021-40444
- Potential Privilege Escalation To LOCAL SYSTEM