sigmaDRL-1.1from SigmaHQ/sigma
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Quality
100
FP risk
—
Forks
0
Views
0
Rule sourcerules/category/antivirus/av_exploiting.yml
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical