diff --git a/rules/application/antivirus/av_exploiting.yml b/rules/application/antivirus/av_exploiting.yml index 05607e3af..c59de7e70 100644 --- a/rules/application/antivirus/av_exploiting.yml +++ b/rules/application/antivirus/av_exploiting.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ date: 2018/09/09 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: antivirus detection: @@ -25,6 +25,8 @@ detection: - 'COBEACON' - 'Cometer' - 'Razy' + - 'IISExchgSpawnCMD' + - 'Exploit.Script.CVE' condition: selection fields: - FileName diff --git a/rules/application/antivirus/av_password_dumper.yml b/rules/application/antivirus/av_password_dumper.yml index 6a785e69f..e599bcb0f 100644 --- a/rules/application/antivirus/av_password_dumper.yml +++ b/rules/application/antivirus/av_password_dumper.yml @@ -17,7 +17,7 @@ detection: - 'Mimikatz' - 'PWCrack' - 'HTool/WCE' - - 'PSWtool' + - 'PSWTool' - 'PWDump' - 'SecurityTool' - 'PShlSpy' diff --git a/rules/application/antivirus/av_ransomware.yml b/rules/application/antivirus/av_ransomware.yml new file mode 100644 index 000000000..d58b66cfa --- /dev/null +++ b/rules/application/antivirus/av_ransomware.yml @@ -0,0 +1,21 @@ +title: Antivirus Ransomware Detection +id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f +status: experimental +description: Detects a highly relevant Antivirus alert that reports ransomware +author: Florian Roth +references: + - https://www.nextron-systems.com/?s=antivirus +date: 2022/05/12 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'Ransom' + - 'Filecoder' + condition: selection +falsepositives: + - Unlikely +level: critical +tags: + - attack.t1486 diff --git a/rules/application/antivirus/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml index f3b151924..cb4fd3289 100644 --- a/rules/application/antivirus/av_relevant_files.yml +++ b/rules/application/antivirus/av_relevant_files.yml @@ -3,7 +3,7 @@ id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name status: experimental date: 2018/09/09 -modified: 2021/11/23 +modified: 2022/05/12 author: Florian Roth, Arnim Rupp references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ @@ -31,6 +31,7 @@ detection: - '.ps1' - '.psm1' - '.vbs' + - '.vbe' - '.bat' - '.cmd' - '.sh' diff --git a/rules/application/antivirus/av_webshell.yml b/rules/application/antivirus/av_webshell.yml index 3606e2c2a..3d759a76b 100644 --- a/rules/application/antivirus/av_webshell.yml +++ b/rules/application/antivirus/av_webshell.yml @@ -3,7 +3,7 @@ id: fdf135a2-9241-4f96-a114-bb404948f736 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. status: experimental date: 2018/09/09 -modified: 2021/05/08 +modified: 2022/05/12 author: Florian Roth, Arnim Rupp references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ @@ -65,6 +65,7 @@ detection: - 'Backdoor?ASP' - 'Backdoor?VBS' - 'Backdoor?Java' + - 'PShlSpy' condition: selection fields: - FileName diff --git a/rules/windows/builtin/application/win_av_relevant_match.yml b/rules/windows/builtin/application/win_av_relevant_match.yml index 7afa03400..8758f7818 100644 --- a/rules/windows/builtin/application/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/win_av_relevant_match.yml @@ -36,7 +36,15 @@ detection: - 'ASPXSpy' - 'Ransom' - 'Filecoder' - - 'CobaltStrike' + - 'CobaltStr' + # Update 12.05.22 + - 'PWCrack' + - 'DumpCreds' + - 'MPreter' + - 'Koadic' + - 'Packed.Generic.347' + - 'COBEACON' + - 'Cometer' filter: - 'Keygen' - 'Crack'