Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Arnim RuppCreated Sun Feb 19Updated Wed Dec 2578bc5783-81d9-4d73-ac97-59f6db4f72a8windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic4 selectors
detection:
    keywords:
        - 'Adfind'
        - 'ASP/BackDoor '
        - 'ATK/'
        - 'Backdoor.ASP'
        - 'Backdoor.Cobalt'
        - 'Backdoor.JSP'
        - 'Backdoor.PHP'
        - 'Blackworm'
        - 'Brutel'
        - 'BruteR'
        - 'Chopper'
        - 'Cobalt'
        - 'COBEACON'
        - 'Cometer'
        - 'CRYPTES'
        - 'Cryptor'
        - 'Destructor'
        - 'DumpCreds'
        - 'Exploit.Script.CVE'
        - 'FastReverseProxy'
        - 'Filecoder'
        - 'GrandCrab '
        - 'HackTool'
        - 'HKTL'
        - 'HTool-'
        - '/HTool'
        - '.HTool'
        - 'IISExchgSpawnCMD'
        - 'Impacket'
        - 'JSP/BackDoor '
        - 'Keylogger'
        - 'Koadic'
        - 'Krypt'
        - 'Lazagne'
        - 'Metasploit'
        - 'Meterpreter'
        - 'MeteTool'
        - 'mikatz'
        - 'Mimikatz'
        - 'Mpreter'
        - 'MsfShell'
        - 'Nighthawk'
        - 'Packed.Generic.347'
        - 'PentestPowerShell'
        - 'Phobos'
        - 'PHP/BackDoor '
        - 'Potato'
        - 'PowerSploit'
        - 'PowerSSH'
        - 'PshlSpy'
        - 'PSWTool'
        - 'PWCrack'
        - 'PWDump'
        - 'Ransom'
        - 'Rozena'
        - 'Ryzerlo'
        - 'Sbelt'
        - 'Seatbelt'
        - 'SecurityTool '
        - 'SharpDump'
        - 'Shellcode'
        - 'Sliver'
        - 'Splinter'
        - 'Swrort'
        - 'Tescrypt'
        - 'TeslaCrypt'
        - 'TurtleLoader'
        - 'Valyria'
        - 'Webshell'
        # - 'FRP.'
        # - 'Locker'
        # - 'PWS.'
        # - 'PWSX'
        # - 'Razy'
        # - 'Ryuk'
    filter_optional_generic:
        - 'anti_ransomware_service.exe'
        - 'Anti-Ransomware'
        - 'Crack'
        - 'cyber-protect-service.exe'
        - 'encryptor'
        - 'Keygen'
    filter_optional_information:
        Level: 4  # Information level
    filter_optional_restartmanager:
        Provider_Name: 'Microsoft-Windows-RestartManager'
    condition: keywords and not 1 of filter_optional_*
False Positives

Some software piracy tools (key generators, cracks) are classified as hack tools

References
1
Resolving title…
virustotal.com
2
Resolving title…
virustotal.com
3
Resolving title…
virustotal.com
4
Resolving title…
nextron-systems.com
MITRE ATT&CK
Rule Metadata
Rule ID
78bc5783-81d9-4d73-ac97-59f6db4f72a8
Status
test
Level
high
Type
Detection
Created
Sun Feb 19
Modified
Wed Dec 25
Author
Florian Roth (Nextron Systems), Arnim Rupp
Path
rules/windows/builtin/application/Other/win_av_relevant_match.yml
Raw Tags
attack.resource-developmentattack.t1588
View on GitHub