SigmaHQ/rules/windows/malware/av_relevant_files.yml

title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
modified: 2021/05/09
author: Florian Roth, Arnim Rupp
references:
    - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
logsource:
    product: antivirus
detection:
    selection:
        - FileName|startswith:
            - 'C:\Windows\'
            - 'C:\Temp\'
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
            - 'C:\Users\Default\'
        - FileName|contains:
            - '\Client\'
            - '\tsclient\'
            - '\inetpub\'
            - '/www/'
            - 'apache'
            - 'tomcat'
            - 'nginx'
            - 'weblogic'
    selection2:
        Filename|endswith:
            - '.ps1'
            - '.psm1'
            - '.vbs'
            - '.bat'
            - '.cmd'
            - '.sh'
            - '.chm'
            - '.xml'
            - '.txt'
            - '.jsp'
            - '.jspx'
            - '.asp'
            - '.aspx'
            - '.ashx'
            - '.asax'
            - '.asmx'
            - '.php'
            - '.cfm'
            - '.py'
            - '.pyc'
            - '.pl'
            - '.rb'
            - '.cgi'
            - '.war'
            - '.ear'
            - '.hta'
            - '.lnk'
            - '.scf'
            - '.sct'
            - '.vbe'
            - '.wsf'
            - '.wsh'
            - '.gif'
            - '.png'
            - '.jpg'
            - '.jpeg'
            - '.svg'
            - '.dat'
    condition: selection or selection2
fields:
    - Signature
    - User
falsepositives:
    - Unlikely
level: high
Update av_relevant_files.yml Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Antivirus+Exploitation+Framework+Detection&unscoped_q=Antivirus+Exploitation+Framework+Detection This affetcs Elastalert integration 2018-12-05 04:53:53 +00:00			`title: Antivirus Relevant File Paths Alerts`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: c9a88268-0047-4824-ba6e-4d81ce0b907c`
Rule: AV alerts - relevant files 2018-09-09 09:03:59 +00:00			`description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name`
			`date: 2018/09/09`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`modified: 2021/05/09`
			`author: Florian Roth, Arnim Rupp`
Rule: AV alerts - relevant files 2018-09-09 09:03:59 +00:00			`references:`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/`
Rule: AV alerts - relevant files 2018-09-09 09:03:59 +00:00			`logsource:`
			`product: antivirus`
			`detection:`
			`selection:`
Update av_relevant_files.yml 2020-10-28 01:32:16 +00:00			`- FileName\|startswith:`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- 'C:\Windows\'`
Update av_relevant_files.yml 2020-10-28 01:34:57 +00:00			`- 'C:\Temp\'`
			`- 'C:\PerfLogs\'`
			`- 'C:\Users\Public\'`
			`- 'C:\Users\Default\'`
Update av_relevant_files.yml 2020-10-28 01:32:16 +00:00			`- FileName\|contains:`
Update av_relevant_files.yml 2020-10-28 01:34:57 +00:00			`- '\Client\'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '\tsclient\'`
			`- '\inetpub\'`
			`- '/www/'`
			`- 'apache'`
			`- 'tomcat'`
			`- 'nginx'`
			`- 'weblogic'`
Fix 2020-10-15 23:24:31 +00:00			`selection2:`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`Filename\|endswith:`
			`- '.ps1'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.psm1'`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`- '.vbs'`
			`- '.bat'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.cmd'`
			`- '.sh'`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`- '.chm'`
			`- '.xml'`
			`- '.txt'`
			`- '.jsp'`
			`- '.jspx'`
			`- '.asp'`
			`- '.aspx'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.ashx'`
			`- '.asax'`
			`- '.asmx'`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`- '.php'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.cfm'`
			`- '.py'`
			`- '.pyc'`
			`- '.pl'`
			`- '.rb'`
			`- '.cgi'`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`- '.war'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.ear'`
Update av_relevant_files.yml 2020-10-15 19:13:22 +00:00			`- '.hta'`
			`- '.lnk'`
			`- '.scf'`
			`- '.sct'`
			`- '.vbe'`
			`- '.wsf'`
			`- '.wsh'`
Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) 2021-05-08 22:03:47 +00:00			`- '.gif'`
			`- '.png'`
			`- '.jpg'`
			`- '.jpeg'`
			`- '.svg'`
			`- '.dat'`
Fix 2020-10-15 23:24:31 +00:00			`condition: selection or selection2`
Rule: AV alerts - relevant files 2018-09-09 09:03:59 +00:00			`fields:`
			`- Signature`
			`- User`
			`falsepositives:`
			`- Unlikely`
			`level: high`