Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Sigma rule (View on GitHub)

  1title: Relevant Anti-Virus Signature Keywords In Application Log
  2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
  3status: test
  4description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
  5references:
  6    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
  7    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
  8    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
  9author: Florian Roth (Nextron Systems), Arnim Rupp
 10date: 2017/02/19
 11modified: 2024/06/05
 12tags:
 13    - attack.resource_development
 14    - attack.t1588
 15logsource:
 16    product: windows
 17    service: application
 18detection:
 19    keywords:
 20        - 'Adfind'
 21        - 'ASP/BackDoor'
 22        - 'ATK/'
 23        - 'Backdoor.ASP'
 24        - 'Backdoor.Cobalt'
 25        - 'Backdoor.JSP'
 26        - 'Backdoor.PHP'
 27        - 'Blackworm'
 28        - 'Brutel'
 29        - 'BruteR'
 30        - 'Chopper'
 31        - 'Cobalt'
 32        - 'COBEACON'
 33        - 'Cometer'
 34        - 'CRYPTES'
 35        - 'Cryptor'
 36        - 'Destructor'
 37        - 'DumpCreds'
 38        - 'Exploit.Script.CVE'
 39        - 'FastReverseProxy'
 40        - 'Filecoder'
 41        - 'GrandCrab'
 42        - 'HackTool'
 43        - 'HKTL:'
 44        - 'HKTL.'
 45        - 'HKTL/'
 46        - 'HTool'
 47        - 'IISExchgSpawnCMD'
 48        - 'Impacket'
 49        - 'JSP/BackDoor'
 50        - 'Keylogger'
 51        - 'Koadic'
 52        - 'Krypt'
 53        - 'Lazagne'
 54        - 'Metasploit'
 55        - 'Meterpreter'
 56        - 'MeteTool'
 57        - 'Mimikatz'
 58        - 'mikatz'
 59        - 'Mpreter'
 60        - 'Nighthawk'
 61        - 'Packed.Generic.347'
 62        - 'PentestPowerShell'
 63        - 'Phobos'
 64        - 'PHP/BackDoor'
 65        - 'PowerSploit'
 66        - 'PowerSSH'
 67        - 'PshlSpy'
 68        - 'PSWTool'
 69        - 'PWCrack'
 70        - 'PWDump'
 71        - 'Ransom'
 72        - 'Rozena'
 73        - 'Ryzerlo'
 74        - 'Sbelt'
 75        - 'Seatbelt'
 76        - 'SecurityTool'
 77        - 'SharpDump'
 78        - 'Sliver'
 79        - 'Splinter'
 80        - 'Swrort'
 81        - 'Tescrypt'
 82        - 'TeslaCrypt'
 83        - 'Valyria'
 84        - 'Webshell'
 85        # - 'FRP.'
 86        # - 'PWS.'
 87        # - 'PWSX'
 88        # - 'Razy'
 89        # - 'Ryuk'
 90        # - 'Locker'
 91        # - 'Potato'
 92    filter_optional_generic:
 93        - 'Keygen'
 94        - 'Crack'
 95        - 'anti_ransomware_service.exe'
 96        - 'cyber-protect-service.exe'
 97    filter_optional_information:
 98        Level: 4  # Information level
 99    filter_optional_restartmanager:
100        Provider_Name: 'Microsoft-Windows-RestartManager'
101    condition: keywords and not 1 of filter_optional_*
102falsepositives:
103    - Some software piracy tools (key generators, cracks) are classified as hack tools
104level: high

References

Related rules

to-top