title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
references:
    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
logsource:
    product: antivirus
detection:
    selection:
        FileName|startswith:
            - 'C:\Windows\Temp\\'
            - 'C:\Temp\\'
            - 'C:\PerfLogs\\'
            - 'C:\Users\Public\\'
            - 'C:\Users\Default\\'
        Filename|contains:
            - '\\Client\\'
        Filename|endswith:
            - '.ps1'
            - '.vbs'
            - '.bat'
            - '.chm'
            - '.xml'
            - '.txt'
            - '.jsp'
            - '.jspx'
            - '.asp'
            - '.aspx'
            - '.php'
            - '.war'
            - '.hta'
            - '.lnk'
            - '.scf'
            - '.sct'
            - '.vbe'
            - '.wsf'
            - '.wsh'
    condition: selection
fields:
    - Signature
    - User
falsepositives:
    - Unlikely
level: high