title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: test
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
author: Florian Roth
references:
  - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
date: 2018/09/09
modified: 2022/05/12
logsource:
  category: antivirus
detection:
  selection:
    Signature|contains:
      - 'MeteTool'
      - 'MPreter'
      - 'Meterpreter'
      - 'Metasploit'
      - 'PowerSploit'
      - 'CobaltStrike'
      - 'Swrort'
      - 'Rozena'
      - 'Backdoor.Cobalt'
      - 'CobaltStr'
      - 'COBEACON'
      - 'Cometer'
      - 'Razy'
      - 'IISExchgSpawnCMD'
      - 'Exploit.Script.CVE'
  condition: selection
fields:
  - FileName
  - User
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.execution
  - attack.t1203
  - attack.command_and_control
  - attack.t1219