title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
status: experimental
date: 2021/08/16
author: Florian Roth
references:
    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
            - 'HTOOL'
            - 'HKTL'
            - 'SecurityTool'
            - 'ATK/'  # Sophos
        - Signature|contains:
            - 'Hacktool'
    condition: selection
fields:
    - FileName
    - User
falsepositives:
    - Unlikely
level: high
tags:
    - attack.execution
    - attack.t1204