SigmaHQ/rules/windows/builtin/win_av_relevant_match.yml

title: Relevant Anti-Virus Event
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
date: 2017/02/19
modified: 2021/01/07
logsource:
    product: windows
    service: application
detection:
    keywords:
        Message|contains:
            - "HTool"
            - "Hacktool"
            - "ASP/Backdoor"
            - "JSP/Backdoor"
            - "PHP/Backdoor"
            - "Backdoor.ASP"
            - "Backdoor.JSP"
            - "Backdoor.PHP"
            - "Webshell"
            - "Portscan"
            - "Mimikatz"
            - "WinCred"
            - "PlugX"
            - "Korplug"
            - "Pwdump"
            - "Chopper"
            - "WmiExec"
            - "Xscan"
            - "Clearlog"
            - "ASPXSpy"
    filter:
        Message|contains:
            - "Keygen"
            - "Crack"
    condition: keywords and not filter
falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`title: Relevant Anti-Virus Event`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8`
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`description: This detection method points out highly relevant Antivirus events`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/02/19`
more AV event and suspicious commands some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both? 2021-01-07 16:54:19 +00:00			`modified: 2021/01/07`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: application`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
			`keywords:`
Update win_av_relevant_match.yml 2020-10-15 18:17:33 +00:00			`Message\|contains:`
			`- "HTool"`
			`- "Hacktool"`
			`- "ASP/Backdoor"`
			`- "JSP/Backdoor"`
			`- "PHP/Backdoor"`
			`- "Backdoor.ASP"`
			`- "Backdoor.JSP"`
			`- "Backdoor.PHP"`
			`- "Webshell"`
			`- "Portscan"`
			`- "Mimikatz"`
			`- "WinCred"`
			`- "PlugX"`
			`- "Korplug"`
			`- "Pwdump"`
			`- "Chopper"`
			`- "WmiExec"`
			`- "Xscan"`
			`- "Clearlog"`
			`- "ASPXSpy"`
			`filter:`
			`Message\|contains:`
			`- "Keygen"`
			`- "Crack"`
			`condition: keywords and not filter`
Example Updates 2016-12-27 13:49:54 +00:00			`falsepositives:`
			`- Some software piracy tools (key generators, cracks) are classified as hack tools`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`