mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
34 lines
807 B
YAML
34 lines
807 B
YAML
description: Relevant Anti-Virus Event
|
|
comment: This detection method points out highly relevant Antivirus events
|
|
detection:
|
|
selection:
|
|
- EventLog: Application
|
|
keywords:
|
|
- HTool
|
|
- Hacktool
|
|
- ASP/Backdoor
|
|
- JSP/Backdoor
|
|
- PHP/Backdoor
|
|
- Backdoor.ASP
|
|
- Backdoor.JSP
|
|
- Backdoor.PHP
|
|
- Webshell
|
|
- Portscan
|
|
- Mimikatz
|
|
- WinCred
|
|
- PlugX
|
|
- Korplug
|
|
- Pwdump
|
|
- Chopper
|
|
- WmiExec
|
|
- Xscan
|
|
- Clearlog
|
|
- ASPXSpy
|
|
filters:
|
|
- Keygen
|
|
- Crack
|
|
condition:
|
|
selection[0] and 1 of keywords and not 1 of filters
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: 70 |