title: Antivirus Exploitation Framework Detection
ruletype: Sigma
author: Florian Roth
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports an exploitation
  framework
detection:
  SELECTION_1:
    Signature:
    - '*MeteTool*'
    - '*MPreter*'
    - '*Meterpreter*'
    - '*Metasploit*'
    - '*PowerSploit*'
    - '*CobaltSrike*'
    - '*Swrort*'
    - '*Rozena*'
    - '*Backdoor.Cobalt*'
    - '*CobaltStr*'
    - '*COBEACON*'
    - '*Cometer*'
    - '*Razy*'
  condition: SELECTION_1
falsepositives:
- Unlikely
fields:
- FileName
- User
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
level: critical
logsource:
  product: antivirus
modified: 2021/11/27
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
status: test
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219