SigmaHQ/rules/windows/malware/av_exploiting.yml
2018-09-20 12:44:44 +02:00

29 lines
718 B
YAML

title: Antivirus Exploitation Framework Detection
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
date: 2018/09/09
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
logsource:
product: antivirus
detection:
selection:
Signature:
- "*MeteTool*"
- "*Meterpreter*"
- "*Metasploit*"
- "*PowerSploit*"
- "*CobaltSrike*"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical