Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name
Sigma rule (View on GitHub)
1title: Antivirus Relevant File Paths Alerts
2id: c9a88268-0047-4824-ba6e-4d81ce0b907c
3status: test
4description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7author: Florian Roth (Nextron Systems), Arnim Rupp
8date: 2018/09/09
9modified: 2023/10/23
10tags:
11 - attack.resource_development
12 - attack.t1588
13logsource:
14 category: antivirus
15detection:
16 selection_path:
17 Filename|contains:
18 # could be startswith, if there is a better backend handling
19 - ':\Windows\'
20 - ':\Temp\'
21 - ':\PerfLogs\'
22 - ':\Users\Public\'
23 - ':\Users\Default\'
24 # true 'contains' matches:
25 - '\Client\'
26 - '\tsclient\'
27 - '\inetpub\'
28 - '/www/'
29 - 'apache'
30 - 'tomcat'
31 - 'nginx'
32 - 'weblogic'
33 selection_ext:
34 Filename|endswith:
35 - '.asax'
36 - '.ashx'
37 - '.asmx'
38 - '.asp'
39 - '.aspx'
40 - '.bat'
41 - '.cfm'
42 - '.cgi'
43 - '.chm'
44 - '.cmd'
45 - '.dat'
46 - '.ear'
47 - '.gif'
48 - '.hta'
49 - '.jpeg'
50 - '.jpg'
51 - '.jsp'
52 - '.jspx'
53 - '.lnk'
54 - '.php'
55 - '.pl'
56 - '.png'
57 - '.ps1'
58 - '.psm1'
59 - '.py'
60 - '.pyc'
61 - '.rb'
62 - '.scf'
63 - '.sct'
64 - '.sh'
65 - '.svg'
66 - '.txt'
67 - '.vbe'
68 - '.vbs'
69 - '.war'
70 - '.wsf'
71 - '.wsh'
72 - '.xml'
73 condition: 1 of selection_*
74fields:
75 - Signature
76 - User
77falsepositives:
78 - Unlikely
79level: high
References
Related rules
- Relevant Anti-Virus Event
- Linux HackTool Execution
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Suspicious Word Cab File Write CVE-2021-40444
- Potential Privilege Escalation To LOCAL SYSTEM