/
av_exploiting.yml
49 lines (49 loc) · 1.45 KB
/
av_exploiting.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018/09/09
modified: 2023/01/13
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'MeteTool'
- 'MPreter'
- 'Meterpreter'
- 'Metasploit'
- 'PowerSploit'
- 'CobaltStrike'
- 'BruteR'
- 'Brutel'
- 'Swrort'
- 'Rozena'
- 'Backdoor.Cobalt'
- 'CobaltStr'
- 'COBEACON'
- 'Cometer'
- 'Razy'
- 'IISExchgSpawnCMD'
- 'Exploit.Script.CVE'
- 'Seatbelt'
- 'Sbelt'
- 'Sliver'
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical