refactor: update antivirus rules

rules/application/antivirus/av_exploiting.yml

@@ -6,7 +6,7 @@ author: Florian Roth
 references:
   - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
 date: 2018/09/09
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
   category: antivirus
 detection:
@@ -25,6 +25,8 @@ detection:
       - 'COBEACON'
       - 'Cometer'
       - 'Razy'
+      - 'IISExchgSpawnCMD'
+      - 'Exploit.Script.CVE'
   condition: selection
 fields:
   - FileName

rules/application/antivirus/av_password_dumper.yml

@@ -17,7 +17,7 @@ detection:
       - 'Mimikatz'
       - 'PWCrack'
       - 'HTool/WCE'
-      - 'PSWtool'
+      - 'PSWTool'
       - 'PWDump'
       - 'SecurityTool'
       - 'PShlSpy'

rules/application/antivirus/av_ransomware.yml

@@ -0,0 +1,21 @@
+title: Antivirus Ransomware Detection
+id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
+status: experimental
+description: Detects a highly relevant Antivirus alert that reports ransomware
+author: Florian Roth
+references:
+  - https://www.nextron-systems.com/?s=antivirus
+date: 2022/05/12
+logsource:
+  category: antivirus
+detection:
+  selection:
+    Signature|contains:
+      - 'Ransom'
+      - 'Filecoder'
+  condition: selection
+falsepositives:
+  - Unlikely
+level: critical
+tags:
+  - attack.t1486

rules/application/antivirus/av_relevant_files.yml

@@ -3,7 +3,7 @@ id: c9a88268-0047-4824-ba6e-4d81ce0b907c
 description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
 status: experimental
 date: 2018/09/09
-modified: 2021/11/23
+modified: 2022/05/12
 author: Florian Roth, Arnim Rupp
 references:
     - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
@@ -31,6 +31,7 @@ detection:
             - '.ps1'
             - '.psm1'
             - '.vbs'
+            - '.vbe'
             - '.bat'
             - '.cmd'
             - '.sh'

rules/application/antivirus/av_webshell.yml

@@ -3,7 +3,7 @@ id: fdf135a2-9241-4f96-a114-bb404948f736
 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
 status: experimental
 date: 2018/09/09
-modified: 2021/05/08
+modified: 2022/05/12
 author: Florian Roth, Arnim Rupp
 references:
     - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
@@ -65,6 +65,7 @@ detection:
             - 'Backdoor?ASP'
             - 'Backdoor?VBS'
             - 'Backdoor?Java'
+            - 'PShlSpy'
     condition: selection
 fields:
     - FileName

rules/windows/builtin/application/win_av_relevant_match.yml

@@ -36,7 +36,15 @@ detection:
         - 'ASPXSpy'
         - 'Ransom'
         - 'Filecoder'
-        - 'CobaltStrike'
+        - 'CobaltStr'
+        # Update 12.05.22
+        - 'PWCrack'
+        - 'DumpCreds'
+        - 'MPreter'
+        - 'Koadic'
+        - 'Packed.Generic.347'
+        - 'COBEACON'
+        - 'Cometer'
     filter:
         - 'Keygen'
         - 'Crack'