title: Antivirus Hacktool Detection
ruletype: Sigma
author: Florian Roth
date: 2021/08/16
description: Detects a highly relevant Antivirus alert that reports a hack tool or
  other attack tool
detection:
  SELECTION_1:
    Signature:
    - HTOOL*
    - HKTL*
    - SecurityTool*
    - ATK/*
  SELECTION_2:
    Signature:
    - '*Hacktool*'
  condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
level: high
logsource:
  product: antivirus
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
status: experimental
tags:
- attack.execution
- attack.t1204