diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index f5a4c1a94..0639a147d 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -1,7 +1,9 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 status: stable -description: Detects a highly relevant Antivirus alert that reports an exploitation framework. +description: | + Detects a highly relevant Antivirus alert that reports an exploitation framework. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 @@ -9,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1203 diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 154a63e98..851c5a18b 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -1,13 +1,15 @@ title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba status: stable -description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. +description: | + Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021-08-16 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1204 @@ -16,8 +18,7 @@ logsource: detection: selection: - Signature|startswith: - - 'Adfind' - - 'ATK/' + - 'ATK/' # Sophos - 'Exploit.Script.CVE' - 'HKTL' - 'HTOOL' @@ -27,7 +28,6 @@ detection: # - 'FRP.' - Signature|contains: - 'Adfind' - - 'ATK/' # Sophos - 'Brutel' - 'BruteR' - 'Cobalt' @@ -36,10 +36,10 @@ detection: - 'DumpCreds' - 'FastReverseProxy' - 'Hacktool' + - 'Havoc' - 'Impacket' - 'Keylogger' - 'Koadic' - - 'Lazagne' - 'Mimikatz' - 'Nighthawk' - 'PentestPowerShell' @@ -51,12 +51,16 @@ detection: - 'PWCrack' - 'PWDump' - 'Rozena' + - 'Rusthound' - 'Sbelt' - 'Seatbelt' - 'SecurityTool' - 'SharpDump' + - 'SharpHound' - 'Shellcode' - 'Sliver' + - 'Snaffler' + - 'SOAPHound' - 'Splinter' - 'Swrort' - 'TurtleLoader' diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index 0cfb9a8a2..bbf4e861d 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -1,14 +1,16 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: stable -description: Detects a highly relevant Antivirus alert that reports a password dumper. +description: | + Detects a highly relevant Antivirus alert that reports a password dumper. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-10-08 +modified: 2024-11-02 tags: - attack.credential-access - attack.t1003 @@ -21,13 +23,19 @@ detection: selection: - Signature|startswith: 'PWS' - Signature|contains: + - 'Certify' - 'DCSync' - 'DumpCreds' - 'DumpLsass' + - 'DumpPert' - 'HTool/WCE' - 'Kekeo' + - 'Lazagne' - 'LsassDump' - 'Mimikatz' + - 'MultiDump' + - 'Nanodump' + - 'NativeDump' - 'Outflank' - 'PShlSpy' - 'PSWTool' @@ -35,9 +43,17 @@ detection: - 'PWDump' - 'PWS.' - 'PWSX' + - 'pypykatz' - 'Rubeus' + - 'SafetyKatz' - 'SecurityTool' + - 'SharpChrome' + - 'SharpDPAPI' - 'SharpDump' + - 'SharpKatz' + - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d + - 'ShpKatz' + - 'TrickDump' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index b4fa40e1a..2c3a7667f 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -1,7 +1,9 @@ title: Antivirus Ransomware Detection id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f status: test -description: Detects a highly relevant Antivirus alert that reports ransomware. +description: | + Detects a highly relevant Antivirus alert that reports ransomware. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 @@ -9,9 +11,10 @@ references: - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c + - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022-05-12 -modified: 2023-02-03 +modified: 2024-11-02 tags: - attack.t1486 logsource: @@ -20,21 +23,34 @@ detection: selection: Signature|contains: - 'BlackWorm' + - 'Chaos' + - 'Cobra' + - 'ContiCrypt' - 'Crypter' - 'CRYPTES' - 'Cryptor' + - 'CylanCrypt' + - 'DelShad' - 'Destructor' - 'Filecoder' - 'GandCrab' - 'GrandCrab' + - 'Haperlock' + - 'Hiddentear' + - 'HydraCrypt' - 'Krypt' + - 'Lockbit' - 'Locker' + - 'Mallox' - 'Phobos' - 'Ransom' - 'Ryuk' - 'Ryzerlo' + - 'Stopcrypt' - 'Tescrypt' - 'TeslaCrypt' + - 'WannaCry' + - 'Xorist' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml index eaa853020..752e5ee7a 100644 --- a/rules/category/antivirus/av_relevant_files.yml +++ b/rules/category/antivirus/av_relevant_files.yml @@ -1,12 +1,14 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c status: test -description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name. +description: | + Detects an Antivirus alert in a highly relevant file path or with a relevant file name. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.resource-development - attack.t1588 @@ -21,7 +23,7 @@ detection: - ':\Users\Public\' - ':\Windows\' - '/www/' - - '\Client\' + # - '\Client\' - '\inetpub\' - '\tsclient\' - 'apache' diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index bd756b6fa..e831e5f62 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -4,6 +4,7 @@ status: test description: | Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://github.com/tennc/webshell @@ -17,7 +18,7 @@ references: - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.persistence - attack.t1505.003 @@ -35,13 +36,13 @@ detection: - 'Troj/ASP' - 'Troj/JSP' - 'Troj/PHP' - - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops - Signature|contains: - - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops - 'ASP:' - 'ASP.Agent' - 'ASP/' - - 'ASP/Agent' + # - 'ASP/Agent' - 'Aspdoor' - 'ASPXSpy' - 'Backdoor.ASP' @@ -61,14 +62,14 @@ detection: - 'JSP:' - 'JSP.Agent' - 'JSP/' - - 'JSP/Agent' + # - 'JSP/Agent' - 'Perl:' - 'Perl/' - 'PHP_' - 'PHP:' - 'PHP.Agent' - 'PHP/' - - 'PHP/Agent' + # - 'PHP/Agent' - 'PHPShell' - 'PShlSpy' - 'SinoChoper'