Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Sigma rule (View on GitHub)
1title: Relevant Anti-Virus Signature Keywords In Application Log
2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
3status: test
4description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
5references:
6 - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
7 - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
8 - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
9author: Florian Roth (Nextron Systems), Arnim Rupp
10date: 2017/02/19
11modified: 2023/11/22
12tags:
13 - attack.resource_development
14 - attack.t1588
15logsource:
16 product: windows
17 service: application
18detection:
19 keywords:
20 - 'Adfind'
21 - 'ASP/BackDoor'
22 - 'ATK/'
23 - 'Backdoor.ASP'
24 - 'Backdoor.Cobalt'
25 - 'Backdoor.JSP'
26 - 'Backdoor.PHP'
27 - 'Blackworm'
28 - 'Brutel'
29 - 'BruteR'
30 - 'Chopper'
31 - 'Cobalt'
32 - 'COBEACON'
33 - 'Cometer'
34 - 'CRYPTES'
35 - 'Cryptor'
36 - 'Destructor'
37 - 'DumpCreds'
38 - 'Exploit.Script.CVE'
39 - 'FastReverseProxy'
40 - 'Filecoder'
41 - 'GrandCrab'
42 - 'HackTool'
43 - 'HKTL:'
44 - 'HKTL.'
45 - 'HKTL/'
46 - 'HTool'
47 - 'IISExchgSpawnCMD'
48 - 'Impacket'
49 - 'JSP/BackDoor'
50 - 'Keylogger'
51 - 'Koadic'
52 - 'Krypt'
53 - 'Lazagne'
54 - 'Metasploit'
55 - 'Meterpreter'
56 - 'MeteTool'
57 - 'Mimikatz'
58 - 'Mpreter'
59 - 'Nighthawk'
60 - 'Packed.Generic.347'
61 - 'PentestPowerShell'
62 - 'Phobos'
63 - 'PHP/BackDoor'
64 - 'PowerSploit'
65 - 'PowerSSH'
66 - 'PshlSpy'
67 - 'PSWTool'
68 - 'PWCrack'
69 - 'PWDump'
70 - 'Ransom'
71 - 'Rozena'
72 - 'Ryzerlo'
73 - 'Sbelt'
74 - 'Seatbelt'
75 - 'SecurityTool'
76 - 'SharpDump'
77 - 'Sliver'
78 - 'Splinter'
79 - 'Swrort'
80 - 'Tescrypt'
81 - 'TeslaCrypt'
82 - 'Valyria'
83 - 'Webshell'
84 # - 'FRP.'
85 # - 'PWS.'
86 # - 'PWSX'
87 # - 'Razy'
88 # - 'Ryuk'
89 # - 'Locker'
90 # - 'Potato'
91 filter_optional_generic:
92 - 'Keygen'
93 - 'Crack'
94 - 'anti_ransomware_service.exe'
95 - 'cyber-protect-service.exe'
96 filter_optional_information:
97 Level: 4 # Information level
98 filter_optional_restartmanager:
99 Provider_Name: 'Microsoft-Windows-RestartManager'
100 condition: keywords and not 1 of filter_optional_*
101falsepositives:
102 - Some software piracy tools (key generators, cracks) are classified as hack tools
103level: high
References
Related rules
- Antivirus Relevant File Paths Alerts
- Uncommon File Created In Office Startup Folder
- Linux HackTool Execution
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Suspicious Word Cab File Write CVE-2021-40444