SigmaHQ/rules/windows/builtin/win_av_relevant_match.yml
Arnim Rupp d5de3fe5f9 more AV event and suspicious commands
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
2021-01-07 17:54:19 +01:00

43 lines
1.1 KiB
YAML

title: Relevant Anti-Virus Event
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
date: 2017/02/19
modified: 2021/01/07
logsource:
product: windows
service: application
detection:
keywords:
Message:
- "*HTool*"
- "*Hacktool*"
- "*ASP/Backdoor*"
- "*JSP/Backdoor*"
- "*PHP/Backdoor*"
- "*Backdoor.ASP*"
- "*Backdoor.JSP*"
- "*Backdoor.PHP*"
- "*Webshell*"
- "*Portscan*"
- "*Mimikatz*"
- "*WinCred*"
- "*PlugX*"
- "*Korplug*"
- "*Pwdump*"
- "*Chopper*"
- "*WmiExec*"
- "*Xscan*"
- "*Clearlog*"
- "*ASPXSpy*"
- "*Seatbelt*"
- "*sbelt*"
filters:
Message:
- "*Keygen*"
- "*Crack*"
condition: keywords and not 1 of filters
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high