mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
39 lines
1.0 KiB
YAML
39 lines
1.0 KiB
YAML
title: Relevant Anti-Virus Event
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
description: This detection method points out highly relevant Antivirus events
|
|
author: Florian Roth
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
detection:
|
|
keywords:
|
|
Message:
|
|
- "*HTool*"
|
|
- "*Hacktool*"
|
|
- "*ASP/Backdoor*"
|
|
- "*JSP/Backdoor*"
|
|
- "*PHP/Backdoor*"
|
|
- "*Backdoor.ASP*"
|
|
- "*Backdoor.JSP*"
|
|
- "*Backdoor.PHP*"
|
|
- "*Webshell*"
|
|
- "*Portscan*"
|
|
- "*Mimikatz*"
|
|
- "*WinCred*"
|
|
- "*PlugX*"
|
|
- "*Korplug*"
|
|
- "*Pwdump*"
|
|
- "*Chopper*"
|
|
- "*WmiExec*"
|
|
- "*Xscan*"
|
|
- "*Clearlog*"
|
|
- "*ASPXSpy*"
|
|
filters:
|
|
Message:
|
|
- "*Keygen*"
|
|
- "*Crack*"
|
|
condition: keywords and not 1 of filters
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: high
|