SigmaHQ/rules/windows/malware/av_relevant_files.yml

title: Antivirus Exploitation Framework Detection
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
author: Florian Roth
references:
    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
logsource:
    product: antivirus
detection:
    selection:
        FileName:
            - 'C:\Windows\Temp\*'
            - 'C:\Temp\*'
            - '*\\Client\*'
            - 'C:\PerfLogs\*'
            - 'C:\Users\Public\*'
            - 'C:\Users\Default\*'
            - '*.ps1'
            - '*.vbs'
            - '*.bat'
            - '*.chm'
            - '*.xml'
            - '*.txt'
            - '*.jsp'
            - '*.jspx'
            - '*.asp'
            - '*.aspx'
            - '*.php'
            - '*.war'
    condition: selection
fields:
    - Signature
    - User
falsepositives:
    - Unlikely
level: high
Rule: AV alerts - relevant files 2018-09-09 09:03:59 +00:00			`title: Antivirus Exploitation Framework Detection`
			`description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name`
			`date: 2018/09/09`
			`author: Florian Roth`
			`references:`
			`- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/`
			`logsource:`
			`product: antivirus`
			`detection:`
			`selection:`
			`FileName:`
			`- 'C:\Windows\Temp\*'`
			`- 'C:\Temp\*'`
			`- '\\Client\'`
			`- 'C:\PerfLogs\*'`
			`- 'C:\Users\Public\*'`
			`- 'C:\Users\Default\*'`
			`- '*.ps1'`
			`- '*.vbs'`
			`- '*.bat'`
			`- '*.chm'`
			`- '*.xml'`
			`- '*.txt'`
			`- '*.jsp'`
			`- '*.jspx'`
			`- '*.asp'`
			`- '*.aspx'`
			`- '*.php'`
			`- '*.war'`
			`condition: selection`
			`fields:`
			`- Signature`
			`- User`
			`falsepositives:`
			`- Unlikely`
			`level: high`