Relevant Anti-Virus Signature Keywords In Application Log

calendar Aug 29, 2024 · attack.resource-development attack.t1588  ·
Share on: linkedin copy

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Sigma rule (View on GitHub)

  1title: Relevant Anti-Virus Signature Keywords In Application Log
  2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
  3status: test
  4description: |
  5        Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
  6references:
  7    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
  8    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
  9    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
 10    - https://www.nextron-systems.com/?s=antivirus
 11author: Florian Roth (Nextron Systems), Arnim Rupp
 12date: 2017-02-19
 13modified: 2024-08-29
 14tags:
 15    - attack.resource-development
 16    - attack.t1588
 17logsource:
 18    product: windows
 19    service: application
 20detection:
 21    keywords:
 22        - 'Adfind'
 23        - 'ASP/BackDoor '
 24        - 'ATK/'
 25        - 'Backdoor.ASP'
 26        - 'Backdoor.Cobalt'
 27        - 'Backdoor.JSP'
 28        - 'Backdoor.PHP'
 29        - 'Blackworm'
 30        - 'Brutel'
 31        - 'BruteR'
 32        - 'Chopper'
 33        - 'Cobalt'
 34        - 'COBEACON'
 35        - 'Cometer'
 36        - 'CRYPTES'
 37        - 'Cryptor'
 38        - 'Destructor'
 39        - 'DumpCreds'
 40        - 'Exploit.Script.CVE'
 41        - 'FastReverseProxy'
 42        - 'Filecoder'
 43        - 'GrandCrab '
 44        - 'HackTool'
 45        - 'HKTL'
 46        - 'HTool'
 47        - 'IISExchgSpawnCMD'
 48        - 'Impacket'
 49        - 'JSP/BackDoor '
 50        - 'Keylogger'
 51        - 'Koadic'
 52        - 'Krypt'
 53        - 'Lazagne'
 54        - 'Metasploit'
 55        - 'Meterpreter'
 56        - 'MeteTool'
 57        - 'mikatz'
 58        - 'Mimikatz'
 59        - 'Mpreter'
 60        - 'MsfShell'
 61        - 'Nighthawk'
 62        - 'Packed.Generic.347'
 63        - 'PentestPowerShell'
 64        - 'Phobos'
 65        - 'PHP/BackDoor '
 66        - 'Potato'
 67        - 'PowerSploit'
 68        - 'PowerSSH'
 69        - 'PshlSpy'
 70        - 'PSWTool'
 71        - 'PWCrack'
 72        - 'PWDump'
 73        - 'Ransom'
 74        - 'Rozena'
 75        - 'Ryzerlo'
 76        - 'Sbelt'
 77        - 'Seatbelt'
 78        - 'SecurityTool '
 79        - 'SharpDump'
 80        - 'Shellcode'
 81        - 'Sliver'
 82        - 'Splinter'
 83        - 'Swrort'
 84        - 'Tescrypt'
 85        - 'TeslaCrypt'
 86        - 'TurtleLoader'
 87        - 'Valyria'
 88        - 'Webshell'
 89        # - 'FRP.'
 90        # - 'Locker'
 91        # - 'PWS.'
 92        # - 'PWSX'
 93        # - 'Razy'
 94        # - 'Ryuk'
 95    filter_optional_generic:
 96        - 'anti_ransomware_service.exe'
 97        - 'Anti-Ransomware'
 98        - 'Crack'
 99        - 'cyber-protect-service.exe'
100        - 'encryptor'
101        - 'Keygen'
102    filter_optional_information:
103        Level: 4  # Information level
104    filter_optional_restartmanager:
105        Provider_Name: 'Microsoft-Windows-RestartManager'
106    condition: keywords and not 1 of filter_optional_*
107falsepositives:
108    - Some software piracy tools (key generators, cracks) are classified as hack tools
109level: high

References

Related rules

to-top