SigmaHQ/rules/windows/malware/av_exploiting.yml

title: Antivirus Exploitation Framework Detection
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
date: 2018/09/09
author: Florian Roth
references:
    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
    - attack.execution
    - attack.t1203
    - attack.command_and_control
    - attack.t1219
logsource:
    product: antivirus
detection:
    selection:
        Signature: 
            - "*MeteTool*"
            - "*Meterpreter*"
            - "*Metasploit*"
            - "*PowerSploit*"
            - "*CobaltSrike*"
    condition: selection
fields:
    - FileName
    - User
falsepositives:
    - Unlikely
level: critical
Rule: AV alerts - exploiting frameworks 2018-09-09 09:03:26 +00:00			`title: Antivirus Exploitation Framework Detection`
			`description: Detects a highly relevant Antivirus alert that reports an exploitation framework`
			`date: 2018/09/09`
			`author: Florian Roth`
			`references:`
			`- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/`
			`tags:`
ATT&CK tagging QA 2018-09-20 10:44:44 +00:00			`- attack.execution`
Rule: AV alerts - exploiting frameworks 2018-09-09 09:03:26 +00:00			`- attack.t1203`
ATT&CK tagging QA 2018-09-20 10:44:44 +00:00			`- attack.command_and_control`
Rule: AV alerts - exploiting frameworks 2018-09-09 09:03:26 +00:00			`- attack.t1219`
			`logsource:`
			`product: antivirus`
			`detection:`
			`selection:`
			`Signature:`
			`- "MeteTool"`
			`- "Meterpreter"`
			`- "Metasploit"`
			`- "PowerSploit"`
			`- "CobaltSrike"`
			`condition: selection`
			`fields:`
			`- FileName`
			`- User`
			`falsepositives:`
			`- Unlikely`
			`level: critical`