title: Antivirus Relevant File Paths Alerts
author: Florian Roth, Arnim Rupp
date: 2018/09/09
description: Detects an Antivirus alert in a highly relevant file path or with a relevant
  file name
detection:
  SELECTION_1:
    FileName:
    - C:\Windows\\*
    - C:\Temp\\*
    - C:\PerfLogs\\*
    - C:\Users\Public\\*
    - C:\Users\Default\\*
  SELECTION_2:
    FileName:
    - '*\Client\\*'
    - '*\tsclient\\*'
    - '*\inetpub\\*'
    - '*/www/*'
    - '*apache*'
    - '*tomcat*'
    - '*nginx*'
    - '*weblogic*'
  SELECTION_3:
    Filename:
    - '*.ps1'
    - '*.psm1'
    - '*.vbs'
    - '*.bat'
    - '*.cmd'
    - '*.sh'
    - '*.chm'
    - '*.xml'
    - '*.txt'
    - '*.jsp'
    - '*.jspx'
    - '*.asp'
    - '*.aspx'
    - '*.ashx'
    - '*.asax'
    - '*.asmx'
    - '*.php'
    - '*.cfm'
    - '*.py'
    - '*.pyc'
    - '*.pl'
    - '*.rb'
    - '*.cgi'
    - '*.war'
    - '*.ear'
    - '*.hta'
    - '*.lnk'
    - '*.scf'
    - '*.sct'
    - '*.vbe'
    - '*.wsf'
    - '*.wsh'
    - '*.gif'
    - '*.png'
    - '*.jpg'
    - '*.jpeg'
    - '*.svg'
    - '*.dat'
  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
falsepositives:
- Unlikely
fields:
- Signature
- User
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
level: high
logsource:
  product: antivirus
modified: 2021/05/09
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
status: experimental
tags:
- attack.resource_development
- attack.t1588
ruletype: SIGMA