mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
41 lines
1.0 KiB
YAML
41 lines
1.0 KiB
YAML
title: Relevant Anti-Virus Event
|
|
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
|
description: This detection method points out highly relevant Antivirus events
|
|
author: Florian Roth
|
|
date: 2017/02/19
|
|
modified: 2021/01/07
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
detection:
|
|
keywords:
|
|
Message|contains:
|
|
- "HTool"
|
|
- "Hacktool"
|
|
- "ASP/Backdoor"
|
|
- "JSP/Backdoor"
|
|
- "PHP/Backdoor"
|
|
- "Backdoor.ASP"
|
|
- "Backdoor.JSP"
|
|
- "Backdoor.PHP"
|
|
- "Webshell"
|
|
- "Portscan"
|
|
- "Mimikatz"
|
|
- "WinCred"
|
|
- "PlugX"
|
|
- "Korplug"
|
|
- "Pwdump"
|
|
- "Chopper"
|
|
- "WmiExec"
|
|
- "Xscan"
|
|
- "Clearlog"
|
|
- "ASPXSpy"
|
|
filter:
|
|
Message|contains:
|
|
- "Keygen"
|
|
- "Crack"
|
|
condition: keywords and not filter
|
|
falsepositives:
|
|
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
|
level: high
|