2017-01-10 21:40:59 +00:00
|
|
|
title: Relevant Anti-Virus Event
|
|
|
|
|
description: This detection method points out highly relevant Antivirus events
|
2017-02-18 23:31:59 +00:00
|
|
|
author: Florian Roth
|
|
|
|
|
logsource:
|
2017-02-19 10:08:23 +00:00
|
|
|
product: windows
|
2016-12-27 13:49:54 +00:00
|
|
|
detection:
|
|
|
|
|
selection:
|
2017-02-15 22:53:08 +00:00
|
|
|
EventLog: Application
|
2016-12-27 13:49:54 +00:00
|
|
|
keywords:
|
|
|
|
|
- HTool
|
|
|
|
|
- Hacktool
|
|
|
|
|
- ASP/Backdoor
|
|
|
|
|
- JSP/Backdoor
|
|
|
|
|
- PHP/Backdoor
|
|
|
|
|
- Backdoor.ASP
|
|
|
|
|
- Backdoor.JSP
|
|
|
|
|
- Backdoor.PHP
|
|
|
|
|
- Webshell
|
|
|
|
|
- Portscan
|
|
|
|
|
- Mimikatz
|
|
|
|
|
- WinCred
|
|
|
|
|
- PlugX
|
|
|
|
|
- Korplug
|
|
|
|
|
- Pwdump
|
|
|
|
|
- Chopper
|
|
|
|
|
- WmiExec
|
|
|
|
|
- Xscan
|
|
|
|
|
- Clearlog
|
|
|
|
|
- ASPXSpy
|
|
|
|
|
filters:
|
|
|
|
|
- Keygen
|
|
|
|
|
- Crack
|
2017-02-16 22:49:34 +00:00
|
|
|
condition: selection and 1 of keywords and not 1 of filters
|
2016-12-27 13:49:54 +00:00
|
|
|
falsepositives:
|
|
|
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
2017-02-16 17:02:26 +00:00
|
|
|
level: high
|
