Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Sigma rule (View on GitHub)
1title: Relevant Anti-Virus Signature Keywords In Application Log
2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
3status: test
4description: |
5 Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
6references:
7 - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
8 - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
9 - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
10 - https://www.nextron-systems.com/?s=antivirus
11author: Florian Roth (Nextron Systems), Arnim Rupp
12date: 2017-02-19
13modified: 2024-12-25
14tags:
15 - attack.resource-development
16 - attack.t1588
17logsource:
18 product: windows
19 service: application
20detection:
21 keywords:
22 - 'Adfind'
23 - 'ASP/BackDoor '
24 - 'ATK/'
25 - 'Backdoor.ASP'
26 - 'Backdoor.Cobalt'
27 - 'Backdoor.JSP'
28 - 'Backdoor.PHP'
29 - 'Blackworm'
30 - 'Brutel'
31 - 'BruteR'
32 - 'Chopper'
33 - 'Cobalt'
34 - 'COBEACON'
35 - 'Cometer'
36 - 'CRYPTES'
37 - 'Cryptor'
38 - 'Destructor'
39 - 'DumpCreds'
40 - 'Exploit.Script.CVE'
41 - 'FastReverseProxy'
42 - 'Filecoder'
43 - 'GrandCrab '
44 - 'HackTool'
45 - 'HKTL'
46 - 'HTool-'
47 - '/HTool'
48 - '.HTool'
49 - 'IISExchgSpawnCMD'
50 - 'Impacket'
51 - 'JSP/BackDoor '
52 - 'Keylogger'
53 - 'Koadic'
54 - 'Krypt'
55 - 'Lazagne'
56 - 'Metasploit'
57 - 'Meterpreter'
58 - 'MeteTool'
59 - 'mikatz'
60 - 'Mimikatz'
61 - 'Mpreter'
62 - 'MsfShell'
63 - 'Nighthawk'
64 - 'Packed.Generic.347'
65 - 'PentestPowerShell'
66 - 'Phobos'
67 - 'PHP/BackDoor '
68 - 'Potato'
69 - 'PowerSploit'
70 - 'PowerSSH'
71 - 'PshlSpy'
72 - 'PSWTool'
73 - 'PWCrack'
74 - 'PWDump'
75 - 'Ransom'
76 - 'Rozena'
77 - 'Ryzerlo'
78 - 'Sbelt'
79 - 'Seatbelt'
80 - 'SecurityTool '
81 - 'SharpDump'
82 - 'Shellcode'
83 - 'Sliver'
84 - 'Splinter'
85 - 'Swrort'
86 - 'Tescrypt'
87 - 'TeslaCrypt'
88 - 'TurtleLoader'
89 - 'Valyria'
90 - 'Webshell'
91 # - 'FRP.'
92 # - 'Locker'
93 # - 'PWS.'
94 # - 'PWSX'
95 # - 'Razy'
96 # - 'Ryuk'
97 filter_optional_generic:
98 - 'anti_ransomware_service.exe'
99 - 'Anti-Ransomware'
100 - 'Crack'
101 - 'cyber-protect-service.exe'
102 - 'encryptor'
103 - 'Keygen'
104 filter_optional_information:
105 Level: 4 # Information level
106 filter_optional_restartmanager:
107 Provider_Name: 'Microsoft-Windows-RestartManager'
108 condition: keywords and not 1 of filter_optional_*
109falsepositives:
110 - Some software piracy tools (key generators, cracks) are classified as hack tools
111level: high
References
Related rules
- Antivirus Relevant File Paths Alerts
- Uncommon File Created In Office Startup Folder
- Linux HackTool Execution
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Conti Volume Shadow Listing