security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5068 from @ruppde - Update rules in the Antivirus category with additional strings and signature names

Browse Source 
update: Antivirus Hacktool Detection - Add additional hacktools signature names.
update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
update: Antivirus Ransomware Detection - Add additional ransomware signature names.
fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Arnim Rupp
2024-11-04 11:45:07 +01:00
committed by GitHub
parent cfa6d8aa7d
commit 243003c21a
6 changed files with 63 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/category/antivirus/av_exploiting.yml
+4 -2
View File
@@ -1,7 +1,9 @@
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: Detects a highly relevant Antivirus alert that reports an exploitation framework.
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
@@ -9,7 +11,7 @@ references:
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-07-17
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
rules/category/antivirus/av_hacktool.yml
+10 -6
View File
@@ -1,13 +1,15 @@
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-07-17
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
@@ -16,8 +18,7 @@ logsource:
detection:
selection:
- Signature|startswith:
- 'Adfind'
- 'ATK/'
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
@@ -27,7 +28,6 @@ detection:
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'ATK/' # Sophos
- 'Brutel'
- 'BruteR'
- 'Cobalt'
@@ -36,10 +36,10 @@ detection:
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Lazagne'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
@@ -51,12 +51,16 @@ detection:
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
rules/category/antivirus/av_password_dumper.yml
+19 -3
View File
@@ -1,14 +1,16 @@
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: Detects a highly relevant Antivirus alert that reports a password dumper.
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems)
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-10-08
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
@@ -21,13 +23,19 @@ detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
@@ -35,9 +43,17 @@ detection:
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
rules/category/antivirus/av_ransomware.yml
+18 -2
View File
@@ -1,7 +1,9 @@
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: Detects a highly relevant Antivirus alert that reports ransomware.
description: |
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
@@ -9,9 +11,10 @@ references:
- https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2023-02-03
modified: 2024-11-02
tags:
- attack.t1486
logsource:
@@ -20,21 +23,34 @@ detection:
selection:
Signature|contains:
- 'BlackWorm'
- 'Chaos'
- 'Cobra'
- 'ContiCrypt'
- 'Crypter'
- 'CRYPTES'
- 'Cryptor'
- 'CylanCrypt'
- 'DelShad'
- 'Destructor'
- 'Filecoder'
- 'GandCrab'
- 'GrandCrab'
- 'Haperlock'
- 'Hiddentear'
- 'HydraCrypt'
- 'Krypt'
- 'Lockbit'
- 'Locker'
- 'Mallox'
- 'Phobos'
- 'Ransom'
- 'Ryuk'
- 'Ryzerlo'
- 'Stopcrypt'
- 'Tescrypt'
- 'TeslaCrypt'
- 'WannaCry'
- 'Xorist'
condition: selection
falsepositives:
- Unlikely
rules/category/antivirus/av_relevant_files.yml
+5 -3
View File
@@ -1,12 +1,14 @@
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-07-17
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
@@ -21,7 +23,7 @@ detection:
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
- '\Client\'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
rules/category/antivirus/av_webshell.yml
+7 -6
View File
@@ -4,6 +4,7 @@ status: test
description: |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://github.com/tennc/webshell
@@ -17,7 +18,7 @@ references:
- https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-07-17
modified: 2024-11-02
tags:
- attack.persistence
- attack.t1505.003
@@ -35,13 +36,13 @@ detection:
- 'Troj/ASP'
- 'Troj/JSP'
- 'Troj/PHP'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
- 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
- Signature|contains:
- 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
- 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
- 'ASP:'
- 'ASP.Agent'
- 'ASP/'
- 'ASP/Agent'
# - 'ASP/Agent'
- 'Aspdoor'
- 'ASPXSpy'
- 'Backdoor.ASP'
@@ -61,14 +62,14 @@ detection:
- 'JSP:'
- 'JSP.Agent'
- 'JSP/'
- 'JSP/Agent'
# - 'JSP/Agent'
- 'Perl:'
- 'Perl/'
- 'PHP_'
- 'PHP:'
- 'PHP.Agent'
- 'PHP/'
- 'PHP/Agent'
# - 'PHP/Agent'
- 'PHPShell'
- 'PShlSpy'
- 'SinoChoper'