title: Antivirus Hacktool Detection
author: Florian Roth
date: 2021/08/16
description: Detects a highly relevant Antivirus alert that reports a hack tool or
    other attack tool
detection:
    SELECTION_1:
        Signature: HTOOL*
    SELECTION_2:
        Signature: HKTL*
    SELECTION_3:
        Signature: SecurityTool*
    SELECTION_4:
        Signature: ATK/*
    SELECTION_5:
        Signature: '*Hacktool*'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5))
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
level: high
logsource:
    product: antivirus
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
tags:
- attack.execution
yml_filename: av_hacktool.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware