Paul Hager
54 lines
1.6 KiB
YAML
54 lines
1.6 KiB
YAML
title: Relevant Anti-Virus Event
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
description: This detection method points out highly relevant Antivirus events
|
|
status: experimental
|
|
author: Florian Roth, Arnim Rupp
|
|
date: 2017/02/19
|
|
modified: 2022/03/08
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
references:
|
|
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
|
|
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
|
|
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
|
|
detection:
|
|
keywords:
|
|
- 'HTool-'
|
|
- 'Hacktool'
|
|
- 'ASP/Backdoor'
|
|
- 'JSP/Backdoor'
|
|
- 'PHP/Backdoor'
|
|
- 'Backdoor.ASP'
|
|
- 'Backdoor.JSP'
|
|
- 'Backdoor.PHP'
|
|
- 'Webshell'
|
|
- 'Portscan'
|
|
- 'Mimikatz'
|
|
- '.WinCred.' # . are needed to avoid false positives with many other strings
|
|
- 'PlugX'
|
|
- 'Korplug'
|
|
- 'Pwdump'
|
|
- 'Chopper'
|
|
- 'WmiExec'
|
|
- 'Xscan'
|
|
- 'Clearlog'
|
|
- 'ASPXSpy'
|
|
- 'Ransom'
|
|
- 'Filecoder'
|
|
- 'CobaltStrike'
|
|
filter:
|
|
- 'Keygen'
|
|
- 'Crack'
|
|
- 'anti_ransomware_service.exe'
|
|
- 'cyber-protect-service.exe'
|
|
filter_information:
|
|
Level: 4 # Information level
|
|
condition: keywords and not 1 of filter*
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: high
|
|
tags:
|
|
- attack.resource_development
|
|
- attack.t1588
|