Techniques
Sample rules
Relevant Anti-Virus Signature Keywords In Application Log
- source: sigma
- technicques:
- t1588
Description
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
Detection logic
condition: keywords and not 1 of filter_optional_*
filter_optional_generic:
- Keygen
- Crack
- anti_ransomware_service.exe
- cyber-protect-service.exe
filter_optional_information:
Level: 4
filter_optional_restartmanager:
Provider_Name: Microsoft-Windows-RestartManager
keywords:
- Adfind
- ASP/BackDoor
- ATK/
- Backdoor.ASP
- Backdoor.Cobalt
- Backdoor.JSP
- Backdoor.PHP
- Blackworm
- Brutel
- BruteR
- Chopper
- Cobalt
- COBEACON
- Cometer
- CRYPTES
- Cryptor
- Destructor
- DumpCreds
- Exploit.Script.CVE
- FastReverseProxy
- Filecoder
- GrandCrab
- HackTool
- 'HKTL:'
- HKTL.
- HKTL/
- HTool
- IISExchgSpawnCMD
- Impacket
- JSP/BackDoor
- Keylogger
- Koadic
- Krypt
- Lazagne
- Metasploit
- Meterpreter
- MeteTool
- Mimikatz
- Mpreter
- Nighthawk
- Packed.Generic.347
- PentestPowerShell
- Phobos
- PHP/BackDoor
- PowerSploit
- PowerSSH
- PshlSpy
- PSWTool
- PWCrack
- PWDump
- Ransom
- Rozena
- Ryzerlo
- Sbelt
- Seatbelt
- SecurityTool
- SharpDump
- Sliver
- Splinter
- Swrort
- Tescrypt
- TeslaCrypt
- Valyria
- Webshell