frack113
41 lines
986 B
YAML
41 lines
986 B
YAML
title: Relevant Anti-Virus Event
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
description: This detection method points out highly relevant Antivirus events
|
|
author: Florian Roth
|
|
date: 2017/02/19
|
|
modified: 2021/07/28
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
detection:
|
|
keywords:
|
|
- "HTool-"
|
|
- "Hacktool"
|
|
- "ASP/Backdoor"
|
|
- "JSP/Backdoor"
|
|
- "PHP/Backdoor"
|
|
- "Backdoor.ASP"
|
|
- "Backdoor.JSP"
|
|
- "Backdoor.PHP"
|
|
- "Webshell"
|
|
- "Portscan"
|
|
- "Mimikatz"
|
|
- "WinCred"
|
|
- "PlugX"
|
|
- "Korplug"
|
|
- "Pwdump"
|
|
- "Chopper"
|
|
- "WmiExec"
|
|
- "Xscan"
|
|
- "Clearlog"
|
|
- "ASPXSpy"
|
|
filter:
|
|
- "Keygen"
|
|
- "Crack"
|
|
condition: keywords and not filter
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: high
|
|
tags:
|
|
- attack.resource_development
|
|
- attack.t1588 |