Merge PR SigmaHQ#5068 from @ruppde - Update rules in the Antivirus ca…

…tegory with additional strings and signature names update: Antivirus Hacktool Detection - Add additional hacktools signature names. update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc. update: Antivirus Ransomware Detection - Add additional ransomware signature names. fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule. fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". --------- Co-authored-by: nasbench <[email protected]>
Ant3at5r · Nov 4, 2024 · 243003c · 243003c
1 parent cfa6d8a
commit 243003c
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 22 deletions.
diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml
@@ -1,15 +1,17 @@
 title: Antivirus Exploitation Framework Detection
 id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
 status: stable
-description: Detects a highly relevant Antivirus alert that reports an exploitation framework.
+description: |
+    Detects a highly relevant Antivirus alert that reports an exploitation framework.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
     - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
     - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.execution
     - attack.t1203

diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml
@@ -1,13 +1,15 @@
 title: Antivirus Hacktool Detection
 id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
 status: stable
-description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
+description: |
+    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2021-08-16
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.execution
     - attack.t1204
@@ -16,8 +18,7 @@ logsource:
 detection:
     selection:
         - Signature|startswith:
-              - 'Adfind'
-              - 'ATK/'
+              - 'ATK/'  # Sophos
               - 'Exploit.Script.CVE'
               - 'HKTL'
               - 'HTOOL'
@@ -27,7 +28,6 @@ detection:
               # - 'FRP.'
         - Signature|contains:
               - 'Adfind'
-              - 'ATK/'  # Sophos
               - 'Brutel'
               - 'BruteR'
               - 'Cobalt'
@@ -36,10 +36,10 @@ detection:
               - 'DumpCreds'
               - 'FastReverseProxy'
               - 'Hacktool'
+              - 'Havoc'
               - 'Impacket'
               - 'Keylogger'
               - 'Koadic'
-              - 'Lazagne'
               - 'Mimikatz'
               - 'Nighthawk'
               - 'PentestPowerShell'
@@ -51,12 +51,16 @@ detection:
               - 'PWCrack'
               - 'PWDump'
               - 'Rozena'
+              - 'Rusthound'
               - 'Sbelt'
               - 'Seatbelt'
               - 'SecurityTool'
               - 'SharpDump'
+              - 'SharpHound'
               - 'Shellcode'
               - 'Sliver'
+              - 'Snaffler'
+              - 'SOAPHound'
               - 'Splinter'
               - 'Swrort'
               - 'TurtleLoader'

diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml
@@ -1,14 +1,16 @@
 title: Antivirus Password Dumper Detection
 id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
 status: stable
-description: Detects a highly relevant Antivirus alert that reports a password dumper.
+description: |
+    Detects a highly relevant Antivirus alert that reports a password dumper.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
     - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-10-08
+modified: 2024-11-02
 tags:
     - attack.credential-access
     - attack.t1003
@@ -21,23 +23,37 @@ detection:
     selection:
         - Signature|startswith: 'PWS'
         - Signature|contains:
+              - 'Certify'
               - 'DCSync'
               - 'DumpCreds'
               - 'DumpLsass'
+              - 'DumpPert'
               - 'HTool/WCE'
               - 'Kekeo'
+              - 'Lazagne'
               - 'LsassDump'
               - 'Mimikatz'
+              - 'MultiDump'
+              - 'Nanodump'
+              - 'NativeDump'
               - 'Outflank'
               - 'PShlSpy'
               - 'PSWTool'
               - 'PWCrack'
               - 'PWDump'
               - 'PWS.'
               - 'PWSX'
+              - 'pypykatz'
               - 'Rubeus'
+              - 'SafetyKatz'
               - 'SecurityTool'
+              - 'SharpChrome'
+              - 'SharpDPAPI'
               - 'SharpDump'
+              - 'SharpKatz'
+              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
+              - 'ShpKatz'
+              - 'TrickDump'
     condition: selection
 falsepositives:
     - Unlikely

diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml
@@ -1,17 +1,20 @@
 title: Antivirus Ransomware Detection
 id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
 status: test
-description: Detects a highly relevant Antivirus alert that reports ransomware.
+description: |
+    Detects a highly relevant Antivirus alert that reports ransomware.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
     - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
     - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
     - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
     - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
+    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2022-05-12
-modified: 2023-02-03
+modified: 2024-11-02
 tags:
     - attack.t1486
 logsource:
@@ -20,21 +23,34 @@ detection:
     selection:
         Signature|contains:
             - 'BlackWorm'
+            - 'Chaos'
+            - 'Cobra'
+            - 'ContiCrypt'
             - 'Crypter'
             - 'CRYPTES'
             - 'Cryptor'
+            - 'CylanCrypt'
+            - 'DelShad'
             - 'Destructor'
             - 'Filecoder'
             - 'GandCrab'
             - 'GrandCrab'
+            - 'Haperlock'
+            - 'Hiddentear'
+            - 'HydraCrypt'
             - 'Krypt'
+            - 'Lockbit'
             - 'Locker'
+            - 'Mallox'
             - 'Phobos'
             - 'Ransom'
             - 'Ryuk'
             - 'Ryzerlo'
+            - 'Stopcrypt'
             - 'Tescrypt'
             - 'TeslaCrypt'
+            - 'WannaCry'
+            - 'Xorist'
     condition: selection
 falsepositives:
     - Unlikely

diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml
@@ -1,12 +1,14 @@
 title: Antivirus Relevant File Paths Alerts
 id: c9a88268-0047-4824-ba6e-4d81ce0b907c
 status: test
-description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
+description: |
+    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.resource-development
     - attack.t1588
@@ -21,7 +23,7 @@ detection:
             - ':\Users\Public\'
             - ':\Windows\'
             - '/www/'
-            - '\Client\'
+            # - '\Client\'
             - '\inetpub\'
             - '\tsclient\'
             - 'apache'

diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml
@@ -4,6 +4,7 @@ status: test
 description: |
     Detects a highly relevant Antivirus alert that reports a web shell.
     It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://github.com/tennc/webshell
@@ -17,7 +18,7 @@ references:
     - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -35,13 +36,13 @@ detection:
               - 'Troj/ASP'
               - 'Troj/JSP'
               - 'Troj/PHP'
-              - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
+              - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
         - Signature|contains:
-              - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
+              - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
               - 'ASP:'
               - 'ASP.Agent'
               - 'ASP/'
-              - 'ASP/Agent'
+              # - 'ASP/Agent'
               - 'Aspdoor'
               - 'ASPXSpy'
               - 'Backdoor.ASP'
@@ -61,14 +62,14 @@ detection:
               - 'JSP:'
               - 'JSP.Agent'
               - 'JSP/'
-              - 'JSP/Agent'
+              # - 'JSP/Agent'
               - 'Perl:'
               - 'Perl/'
               - 'PHP_'
               - 'PHP:'
               - 'PHP.Agent'
               - 'PHP/'
-              - 'PHP/Agent'
+              # - 'PHP/Agent'
               - 'PHPShell'
               - 'PShlSpy'
               - 'SinoChoper'