138 lines
3.8 KiB
YAML
138 lines
3.8 KiB
YAML
title: Antivirus Relevant File Paths Alerts
|
|
author: Florian Roth, Arnim Rupp
|
|
date: 2018/09/09
|
|
description: Detects an Antivirus alert in a highly relevant file path or with a relevant
|
|
file name
|
|
detection:
|
|
SELECTION_1:
|
|
FileName: C:\Windows\\*
|
|
SELECTION_10:
|
|
FileName: '*apache*'
|
|
SELECTION_11:
|
|
FileName: '*tomcat*'
|
|
SELECTION_12:
|
|
FileName: '*nginx*'
|
|
SELECTION_13:
|
|
FileName: '*weblogic*'
|
|
SELECTION_14:
|
|
Filename: '*.ps1'
|
|
SELECTION_15:
|
|
Filename: '*.psm1'
|
|
SELECTION_16:
|
|
Filename: '*.vbs'
|
|
SELECTION_17:
|
|
Filename: '*.bat'
|
|
SELECTION_18:
|
|
Filename: '*.cmd'
|
|
SELECTION_19:
|
|
Filename: '*.sh'
|
|
SELECTION_2:
|
|
FileName: C:\Temp\\*
|
|
SELECTION_20:
|
|
Filename: '*.chm'
|
|
SELECTION_21:
|
|
Filename: '*.xml'
|
|
SELECTION_22:
|
|
Filename: '*.txt'
|
|
SELECTION_23:
|
|
Filename: '*.jsp'
|
|
SELECTION_24:
|
|
Filename: '*.jspx'
|
|
SELECTION_25:
|
|
Filename: '*.asp'
|
|
SELECTION_26:
|
|
Filename: '*.aspx'
|
|
SELECTION_27:
|
|
Filename: '*.ashx'
|
|
SELECTION_28:
|
|
Filename: '*.asax'
|
|
SELECTION_29:
|
|
Filename: '*.asmx'
|
|
SELECTION_3:
|
|
FileName: C:\PerfLogs\\*
|
|
SELECTION_30:
|
|
Filename: '*.php'
|
|
SELECTION_31:
|
|
Filename: '*.cfm'
|
|
SELECTION_32:
|
|
Filename: '*.py'
|
|
SELECTION_33:
|
|
Filename: '*.pyc'
|
|
SELECTION_34:
|
|
Filename: '*.pl'
|
|
SELECTION_35:
|
|
Filename: '*.rb'
|
|
SELECTION_36:
|
|
Filename: '*.cgi'
|
|
SELECTION_37:
|
|
Filename: '*.war'
|
|
SELECTION_38:
|
|
Filename: '*.ear'
|
|
SELECTION_39:
|
|
Filename: '*.hta'
|
|
SELECTION_4:
|
|
FileName: C:\Users\Public\\*
|
|
SELECTION_40:
|
|
Filename: '*.lnk'
|
|
SELECTION_41:
|
|
Filename: '*.scf'
|
|
SELECTION_42:
|
|
Filename: '*.sct'
|
|
SELECTION_43:
|
|
Filename: '*.vbe'
|
|
SELECTION_44:
|
|
Filename: '*.wsf'
|
|
SELECTION_45:
|
|
Filename: '*.wsh'
|
|
SELECTION_46:
|
|
Filename: '*.gif'
|
|
SELECTION_47:
|
|
Filename: '*.png'
|
|
SELECTION_48:
|
|
Filename: '*.jpg'
|
|
SELECTION_49:
|
|
Filename: '*.jpeg'
|
|
SELECTION_5:
|
|
FileName: C:\Users\Default\\*
|
|
SELECTION_50:
|
|
Filename: '*.svg'
|
|
SELECTION_51:
|
|
Filename: '*.dat'
|
|
SELECTION_6:
|
|
FileName: '*\Client\\*'
|
|
SELECTION_7:
|
|
FileName: '*\tsclient\\*'
|
|
SELECTION_8:
|
|
FileName: '*\inetpub\\*'
|
|
SELECTION_9:
|
|
FileName: '*/www/*'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
|
|
or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
|
|
or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
|
|
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
|
|
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
|
|
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
|
|
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
|
|
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
|
|
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
|
|
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
|
|
or SELECTION_51))
|
|
falsepositives:
|
|
- Unlikely
|
|
fields:
|
|
- Signature
|
|
- User
|
|
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
|
|
level: high
|
|
logsource:
|
|
product: antivirus
|
|
modified: 2021/05/09
|
|
references:
|
|
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
|
|
tags:
|
|
- attack.resource_development
|
|
- attack.t1588
|
|
yml_filename: av_relevant_files.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
|
|
|