Florian Roth
70 lines
1.7 KiB
YAML
70 lines
1.7 KiB
YAML
title: Antivirus Hacktool Detection
|
|
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
|
|
status: stable
|
|
description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
|
|
references:
|
|
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
|
|
- https://www.nextron-systems.com/?s=antivirus
|
|
author: Florian Roth (Nextron Systems), Arnim Rupp
|
|
date: 2021/08/16
|
|
modified: 2023/02/03
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1204
|
|
logsource:
|
|
category: antivirus
|
|
detection:
|
|
selection:
|
|
- Signature|startswith:
|
|
- 'HTOOL'
|
|
- 'HKTL'
|
|
- 'SecurityTool'
|
|
- 'Adfind'
|
|
- 'ATK/'
|
|
- 'Exploit.Script.CVE'
|
|
# - 'FRP.'
|
|
- 'PWS.'
|
|
- 'PWSX'
|
|
- Signature|contains:
|
|
- 'Hacktool'
|
|
- 'ATK/' # Sophos
|
|
- 'Potato'
|
|
- 'Rozena'
|
|
- 'Sbelt'
|
|
- 'Seatbelt'
|
|
- 'SecurityTool'
|
|
- 'SharpDump'
|
|
- 'Sliver'
|
|
- 'Splinter'
|
|
- 'Swrort'
|
|
- 'Impacket'
|
|
- 'Koadic'
|
|
- 'Lazagne'
|
|
- 'Metasploit'
|
|
- 'Meterpreter'
|
|
- 'MeteTool'
|
|
- 'Mimikatz'
|
|
- 'Mpreter'
|
|
- 'Nighthawk'
|
|
- 'PentestPowerShell'
|
|
- 'PowerSploit'
|
|
- 'PowerSSH'
|
|
- 'PshlSpy'
|
|
- 'PSWTool'
|
|
- 'PWCrack'
|
|
- 'Brutel'
|
|
- 'BruteR'
|
|
- 'Cobalt'
|
|
- 'COBEACON'
|
|
- 'Cometer'
|
|
- 'DumpCreds'
|
|
- 'FastReverseProxy'
|
|
- 'PWDump'
|
|
condition: selection
|
|
fields:
|
|
- FileName
|
|
- User
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|