mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
d5de3fe5f9
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
43 lines
1.1 KiB
YAML
43 lines
1.1 KiB
YAML
title: Relevant Anti-Virus Event
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
description: This detection method points out highly relevant Antivirus events
|
|
author: Florian Roth
|
|
date: 2017/02/19
|
|
modified: 2021/01/07
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
detection:
|
|
keywords:
|
|
Message:
|
|
- "*HTool*"
|
|
- "*Hacktool*"
|
|
- "*ASP/Backdoor*"
|
|
- "*JSP/Backdoor*"
|
|
- "*PHP/Backdoor*"
|
|
- "*Backdoor.ASP*"
|
|
- "*Backdoor.JSP*"
|
|
- "*Backdoor.PHP*"
|
|
- "*Webshell*"
|
|
- "*Portscan*"
|
|
- "*Mimikatz*"
|
|
- "*WinCred*"
|
|
- "*PlugX*"
|
|
- "*Korplug*"
|
|
- "*Pwdump*"
|
|
- "*Chopper*"
|
|
- "*WmiExec*"
|
|
- "*Xscan*"
|
|
- "*Clearlog*"
|
|
- "*ASPXSpy*"
|
|
- "*Seatbelt*"
|
|
- "*sbelt*"
|
|
filters:
|
|
Message:
|
|
- "*Keygen*"
|
|
- "*Crack*"
|
|
condition: keywords and not 1 of filters
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: high
|