Techniques
Sample rules
Relevant Anti-Virus Signature Keywords In Application Log
- source: sigma
- technicques:
- t1588
Description
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Detection logic
condition: keywords and not 1 of filter_optional_*
filter_optional_generic:
- anti_ransomware_service.exe
- Anti-Ransomware
- Crack
- cyber-protect-service.exe
- encryptor
- Keygen
filter_optional_information:
Level: 4
filter_optional_restartmanager:
Provider_Name: Microsoft-Windows-RestartManager
keywords:
- Adfind
- 'ASP/BackDoor '
- ATK/
- Backdoor.ASP
- Backdoor.Cobalt
- Backdoor.JSP
- Backdoor.PHP
- Blackworm
- Brutel
- BruteR
- Chopper
- Cobalt
- COBEACON
- Cometer
- CRYPTES
- Cryptor
- Destructor
- DumpCreds
- Exploit.Script.CVE
- FastReverseProxy
- Filecoder
- 'GrandCrab '
- HackTool
- HKTL
- HTool
- IISExchgSpawnCMD
- Impacket
- 'JSP/BackDoor '
- Keylogger
- Koadic
- Krypt
- Lazagne
- Metasploit
- Meterpreter
- MeteTool
- mikatz
- Mimikatz
- Mpreter
- MsfShell
- Nighthawk
- Packed.Generic.347
- PentestPowerShell
- Phobos
- 'PHP/BackDoor '
- Potato
- PowerSploit
- PowerSSH
- PshlSpy
- PSWTool
- PWCrack
- PWDump
- Ransom
- Rozena
- Ryzerlo
- Sbelt
- Seatbelt
- 'SecurityTool '
- SharpDump
- Shellcode
- Sliver
- Splinter
- Swrort
- Tescrypt
- TeslaCrypt
- TurtleLoader
- Valyria
- Webshell