title: Antivirus Exploitation Framework Detection
author: Florian Roth
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports an exploitation
    framework
detection:
    SELECTION_1:
        Signature: '*MeteTool*'
    SELECTION_10:
        Signature: '*CobaltStr*'
    SELECTION_11:
        Signature: '*COBEACON*'
    SELECTION_12:
        Signature: '*Cometer*'
    SELECTION_13:
        Signature: '*Razy*'
    SELECTION_2:
        Signature: '*MPreter*'
    SELECTION_3:
        Signature: '*Meterpreter*'
    SELECTION_4:
        Signature: '*Metasploit*'
    SELECTION_5:
        Signature: '*PowerSploit*'
    SELECTION_6:
        Signature: '*CobaltSrike*'
    SELECTION_7:
        Signature: '*Swrort*'
    SELECTION_8:
        Signature: '*Rozena*'
    SELECTION_9:
        Signature: '*Backdoor.Cobalt*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
        or SELECTION_11 or SELECTION_12 or SELECTION_13)
falsepositives:
- Unlikely
fields:
- FileName
- User
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
level: critical
logsource:
    product: antivirus
modified: 2019/01/16
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
yml_filename: av_exploiting.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware