Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Sigma rule (View on GitHub)
1title: Relevant Anti-Virus Signature Keywords In Application Log
2id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
3status: test
4description: |
5 Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
6references:
7 - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
8 - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
9 - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
10 - https://www.nextron-systems.com/?s=antivirus
11author: Florian Roth (Nextron Systems), Arnim Rupp
12date: 2017/02/19
13modified: 2024/07/17
14tags:
15 - attack.resource_development
16 - attack.t1588
17logsource:
18 product: windows
19 service: application
20detection:
21 keywords:
22 - 'Adfind'
23 - 'ASP/BackDoor '
24 - 'ATK/'
25 - 'Backdoor.ASP'
26 - 'Backdoor.Cobalt'
27 - 'Backdoor.JSP'
28 - 'Backdoor.PHP'
29 - 'Blackworm'
30 - 'Brutel'
31 - 'BruteR'
32 - 'Chopper'
33 - 'Cobalt'
34 - 'COBEACON'
35 - 'Cometer'
36 - 'CRYPTES'
37 - 'Cryptor'
38 - 'Destructor'
39 - 'DumpCreds'
40 - 'Exploit.Script.CVE'
41 - 'FastReverseProxy'
42 - 'Filecoder'
43 - 'GrandCrab '
44 - 'HackTool'
45 - 'HKTL'
46 - 'HTool'
47 - 'IISExchgSpawnCMD'
48 - 'Impacket'
49 - 'JSP/BackDoor '
50 - 'Keylogger'
51 - 'Koadic'
52 - 'Krypt'
53 - 'Lazagne'
54 - 'Metasploit'
55 - 'Meterpreter'
56 - 'MeteTool'
57 - 'mikatz'
58 - 'Mimikatz'
59 - 'Mpreter'
60 - 'MsfShell'
61 - 'Nighthawk'
62 - 'Packed.Generic.347'
63 - 'PentestPowerShell'
64 - 'Phobos'
65 - 'PHP/BackDoor '
66 - 'Potato'
67 - 'PowerSploit'
68 - 'PowerSSH'
69 - 'PshlSpy'
70 - 'PSWTool'
71 - 'PWCrack'
72 - 'PWDump'
73 - 'Ransom'
74 - 'Rozena'
75 - 'Ryzerlo'
76 - 'Sbelt'
77 - 'Seatbelt'
78 - 'SecurityTool '
79 - 'SharpDump'
80 - 'Shellcode'
81 - 'Sliver'
82 - 'Splinter'
83 - 'Swrort'
84 - 'Tescrypt'
85 - 'TeslaCrypt'
86 - 'TurtleLoader'
87 - 'Valyria'
88 - 'Webshell'
89 # - 'FRP.'
90 # - 'Locker'
91 # - 'PWS.'
92 # - 'PWSX'
93 # - 'Razy'
94 # - 'Ryuk'
95 filter_optional_generic:
96 - 'anti_ransomware_service.exe'
97 - 'Crack'
98 - 'cyber-protect-service.exe'
99 - 'Keygen'
100 filter_optional_information:
101 Level: 4 # Information level
102 filter_optional_restartmanager:
103 Provider_Name: 'Microsoft-Windows-RestartManager'
104 condition: keywords and not 1 of filter_optional_*
105falsepositives:
106 - Some software piracy tools (key generators, cracks) are classified as hack tools
107level: high
References
Related rules
- Antivirus Relevant File Paths Alerts
- Potential Privilege Escalation To LOCAL SYSTEM
- Potential PsExec Remote Execution
- PsExec/PAExec Escalation to LOCAL SYSTEM
- Usage of Renamed Sysinternals Tools - RegistrySet