Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Sigma rule (View on GitHub)

  1title: Relevant Anti-Virus Signature Keywords In Application Log
  2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
  3status: test
  4description: |
  5        Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
  6references:
  7    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
  8    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
  9    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
 10    - https://www.nextron-systems.com/?s=antivirus
 11author: Florian Roth (Nextron Systems), Arnim Rupp
 12date: 2017-02-19
 13modified: 2024-12-25
 14tags:
 15    - attack.resource-development
 16    - attack.t1588
 17logsource:
 18    product: windows
 19    service: application
 20detection:
 21    keywords:
 22        - 'Adfind'
 23        - 'ASP/BackDoor '
 24        - 'ATK/'
 25        - 'Backdoor.ASP'
 26        - 'Backdoor.Cobalt'
 27        - 'Backdoor.JSP'
 28        - 'Backdoor.PHP'
 29        - 'Blackworm'
 30        - 'Brutel'
 31        - 'BruteR'
 32        - 'Chopper'
 33        - 'Cobalt'
 34        - 'COBEACON'
 35        - 'Cometer'
 36        - 'CRYPTES'
 37        - 'Cryptor'
 38        - 'Destructor'
 39        - 'DumpCreds'
 40        - 'Exploit.Script.CVE'
 41        - 'FastReverseProxy'
 42        - 'Filecoder'
 43        - 'GrandCrab '
 44        - 'HackTool'
 45        - 'HKTL'
 46        - 'HTool-'
 47        - '/HTool'
 48        - '.HTool'
 49        - 'IISExchgSpawnCMD'
 50        - 'Impacket'
 51        - 'JSP/BackDoor '
 52        - 'Keylogger'
 53        - 'Koadic'
 54        - 'Krypt'
 55        - 'Lazagne'
 56        - 'Metasploit'
 57        - 'Meterpreter'
 58        - 'MeteTool'
 59        - 'mikatz'
 60        - 'Mimikatz'
 61        - 'Mpreter'
 62        - 'MsfShell'
 63        - 'Nighthawk'
 64        - 'Packed.Generic.347'
 65        - 'PentestPowerShell'
 66        - 'Phobos'
 67        - 'PHP/BackDoor '
 68        - 'Potato'
 69        - 'PowerSploit'
 70        - 'PowerSSH'
 71        - 'PshlSpy'
 72        - 'PSWTool'
 73        - 'PWCrack'
 74        - 'PWDump'
 75        - 'Ransom'
 76        - 'Rozena'
 77        - 'Ryzerlo'
 78        - 'Sbelt'
 79        - 'Seatbelt'
 80        - 'SecurityTool '
 81        - 'SharpDump'
 82        - 'Shellcode'
 83        - 'Sliver'
 84        - 'Splinter'
 85        - 'Swrort'
 86        - 'Tescrypt'
 87        - 'TeslaCrypt'
 88        - 'TurtleLoader'
 89        - 'Valyria'
 90        - 'Webshell'
 91        # - 'FRP.'
 92        # - 'Locker'
 93        # - 'PWS.'
 94        # - 'PWSX'
 95        # - 'Razy'
 96        # - 'Ryuk'
 97    filter_optional_generic:
 98        - 'anti_ransomware_service.exe'
 99        - 'Anti-Ransomware'
100        - 'Crack'
101        - 'cyber-protect-service.exe'
102        - 'encryptor'
103        - 'Keygen'
104    filter_optional_information:
105        Level: 4  # Information level
106    filter_optional_restartmanager:
107        Provider_Name: 'Microsoft-Windows-RestartManager'
108    condition: keywords and not 1 of filter_optional_*
109falsepositives:
110    - Some software piracy tools (key generators, cracks) are classified as hack tools
111level: high

References

Related rules

to-top