title: Relevant Anti-Virus Event
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
date: 2017/02/19
modified: 2021/01/07
logsource:
    product: windows
    service: application
detection:
    keywords:
        Message|contains:
            - "HTool"
            - "Hacktool"
            - "ASP/Backdoor"
            - "JSP/Backdoor"
            - "PHP/Backdoor"
            - "Backdoor.ASP"
            - "Backdoor.JSP"
            - "Backdoor.PHP"
            - "Webshell"
            - "Portscan"
            - "Mimikatz"
            - "WinCred"
            - "PlugX"
            - "Korplug"
            - "Pwdump"
            - "Chopper"
            - "WmiExec"
            - "Xscan"
            - "Clearlog"
            - "ASPXSpy"
    filter:
        Message|contains:
            - "Keygen"
            - "Crack"
    condition: keywords and not filter
falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
level: high