title: Antivirus Exploitation Framework Detection description: Detects a highly relevant Antivirus alert that reports an exploitation framework date: 2018/09/09 modified: 2019/01/16 author: Florian Roth references: - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ tags: - attack.execution - attack.t1203 - attack.command_and_control - attack.t1219 logsource: product: antivirus detection: selection: Signature: - "*MeteTool*" - "*MPreter*" - "*Meterpreter*" - "*Metasploit*" - "*PowerSploit*" - "*CobaltSrike*" - "*Swrort*" - "*Rozena*" - '*Backdoor.Cobalt*' condition: selection fields: - FileName - User falsepositives: - Unlikely level: critical