45 lines
850 B
YAML
45 lines
850 B
YAML
|
|
title: Relevant Anti-Virus Event
|
|
ruletype: Sigma
|
|
author: Florian Roth
|
|
date: 2017/02/19
|
|
description: This detection method points out highly relevant Antivirus events
|
|
detection:
|
|
SELECTION_1:
|
|
- HTool-
|
|
- Hacktool
|
|
- ASP/Backdoor
|
|
- JSP/Backdoor
|
|
- PHP/Backdoor
|
|
- Backdoor.ASP
|
|
- Backdoor.JSP
|
|
- Backdoor.PHP
|
|
- Webshell
|
|
- Portscan
|
|
- Mimikatz
|
|
- .WinCred.
|
|
- PlugX
|
|
- Korplug
|
|
- Pwdump
|
|
- Chopper
|
|
- WmiExec
|
|
- Xscan
|
|
- Clearlog
|
|
- ASPXSpy
|
|
SELECTION_2:
|
|
- Keygen
|
|
- Crack
|
|
condition: ((SELECTION_1) and not (SELECTION_2))
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
level: high
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
modified: 2021/11/20
|
|
status: experimental
|
|
tags:
|
|
- attack.resource_development
|
|
- attack.t1588
|