SigmaHQ/rules/windows/malware/av_relevant_files.yml
2019-02-03 00:24:57 +01:00

37 lines
926 B
YAML

title: Antivirus Relevant File Paths Alerts
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
logsource:
product: antivirus
detection:
selection:
FileName:
- 'C:\Windows\Temp\\*'
- 'C:\Temp\\*'
- '*\\Client\\*'
- 'C:\PerfLogs\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- '*.ps1'
- '*.vbs'
- '*.bat'
- '*.chm'
- '*.xml'
- '*.txt'
- '*.jsp'
- '*.jspx'
- '*.asp'
- '*.aspx'
- '*.php'
- '*.war'
condition: selection
fields:
- Signature
- User
falsepositives:
- Unlikely
level: high