Relevant Anti-Virus Signature Keywords In Application Log

calendar Dec 21, 2023 · attack.resource_development attack.t1588  ·
Share on: linkedin copy

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Sigma rule (View on GitHub)

  1title: Relevant Anti-Virus Signature Keywords In Application Log
  2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
  3status: test
  4description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
  5references:
  6    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
  7    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
  8    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
  9author: Florian Roth (Nextron Systems), Arnim Rupp
 10date: 2017/02/19
 11modified: 2023/11/22
 12tags:
 13    - attack.resource_development
 14    - attack.t1588
 15logsource:
 16    product: windows
 17    service: application
 18detection:
 19    keywords:
 20        - 'Adfind'
 21        - 'ASP/BackDoor'
 22        - 'ATK/'
 23        - 'Backdoor.ASP'
 24        - 'Backdoor.Cobalt'
 25        - 'Backdoor.JSP'
 26        - 'Backdoor.PHP'
 27        - 'Blackworm'
 28        - 'Brutel'
 29        - 'BruteR'
 30        - 'Chopper'
 31        - 'Cobalt'
 32        - 'COBEACON'
 33        - 'Cometer'
 34        - 'CRYPTES'
 35        - 'Cryptor'
 36        - 'Destructor'
 37        - 'DumpCreds'
 38        - 'Exploit.Script.CVE'
 39        - 'FastReverseProxy'
 40        - 'Filecoder'
 41        - 'GrandCrab'
 42        - 'HackTool'
 43        - 'HKTL:'
 44        - 'HKTL.'
 45        - 'HKTL/'
 46        - 'HTool'
 47        - 'IISExchgSpawnCMD'
 48        - 'Impacket'
 49        - 'JSP/BackDoor'
 50        - 'Keylogger'
 51        - 'Koadic'
 52        - 'Krypt'
 53        - 'Lazagne'
 54        - 'Metasploit'
 55        - 'Meterpreter'
 56        - 'MeteTool'
 57        - 'Mimikatz'
 58        - 'Mpreter'
 59        - 'Nighthawk'
 60        - 'Packed.Generic.347'
 61        - 'PentestPowerShell'
 62        - 'Phobos'
 63        - 'PHP/BackDoor'
 64        - 'PowerSploit'
 65        - 'PowerSSH'
 66        - 'PshlSpy'
 67        - 'PSWTool'
 68        - 'PWCrack'
 69        - 'PWDump'
 70        - 'Ransom'
 71        - 'Rozena'
 72        - 'Ryzerlo'
 73        - 'Sbelt'
 74        - 'Seatbelt'
 75        - 'SecurityTool'
 76        - 'SharpDump'
 77        - 'Sliver'
 78        - 'Splinter'
 79        - 'Swrort'
 80        - 'Tescrypt'
 81        - 'TeslaCrypt'
 82        - 'Valyria'
 83        - 'Webshell'
 84        # - 'FRP.'
 85        # - 'PWS.'
 86        # - 'PWSX'
 87        # - 'Razy'
 88        # - 'Ryuk'
 89        # - 'Locker'
 90        # - 'Potato'
 91    filter_optional_generic:
 92        - 'Keygen'
 93        - 'Crack'
 94        - 'anti_ransomware_service.exe'
 95        - 'cyber-protect-service.exe'
 96    filter_optional_information:
 97        Level: 4  # Information level
 98    filter_optional_restartmanager:
 99        Provider_Name: 'Microsoft-Windows-RestartManager'
100    condition: keywords and not 1 of filter_optional_*
101falsepositives:
102    - Some software piracy tools (key generators, cracks) are classified as hack tools
103level: high

References

Related rules

to-top