82 lines
1.4 KiB
YAML
82 lines
1.4 KiB
YAML
|
|
title: Antivirus Relevant File Paths Alerts
|
|
author: Florian Roth, Arnim Rupp
|
|
date: 2018/09/09
|
|
description: Detects an Antivirus alert in a highly relevant file path or with a relevant
|
|
file name
|
|
detection:
|
|
SELECTION_1:
|
|
FileName:
|
|
- C:\Windows\\*
|
|
- C:\Temp\\*
|
|
- C:\PerfLogs\\*
|
|
- C:\Users\Public\\*
|
|
- C:\Users\Default\\*
|
|
SELECTION_2:
|
|
FileName:
|
|
- '*\Client\\*'
|
|
- '*\tsclient\\*'
|
|
- '*\inetpub\\*'
|
|
- '*/www/*'
|
|
- '*apache*'
|
|
- '*tomcat*'
|
|
- '*nginx*'
|
|
- '*weblogic*'
|
|
SELECTION_3:
|
|
Filename:
|
|
- '*.ps1'
|
|
- '*.psm1'
|
|
- '*.vbs'
|
|
- '*.bat'
|
|
- '*.cmd'
|
|
- '*.sh'
|
|
- '*.chm'
|
|
- '*.xml'
|
|
- '*.txt'
|
|
- '*.jsp'
|
|
- '*.jspx'
|
|
- '*.asp'
|
|
- '*.aspx'
|
|
- '*.ashx'
|
|
- '*.asax'
|
|
- '*.asmx'
|
|
- '*.php'
|
|
- '*.cfm'
|
|
- '*.py'
|
|
- '*.pyc'
|
|
- '*.pl'
|
|
- '*.rb'
|
|
- '*.cgi'
|
|
- '*.war'
|
|
- '*.ear'
|
|
- '*.hta'
|
|
- '*.lnk'
|
|
- '*.scf'
|
|
- '*.sct'
|
|
- '*.vbe'
|
|
- '*.wsf'
|
|
- '*.wsh'
|
|
- '*.gif'
|
|
- '*.png'
|
|
- '*.jpg'
|
|
- '*.jpeg'
|
|
- '*.svg'
|
|
- '*.dat'
|
|
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
|
|
falsepositives:
|
|
- Unlikely
|
|
fields:
|
|
- Signature
|
|
- User
|
|
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
|
|
level: high
|
|
logsource:
|
|
product: antivirus
|
|
modified: 2021/05/09
|
|
references:
|
|
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
|
|
status: experimental
|
|
tags:
|
|
- attack.resource_development
|
|
- attack.t1588
|