title: Relevant Anti-Virus Event
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
status: experimental
author: Florian Roth, Arnim Rupp
date: 2017/02/19
modified: 2022/05/12
logsource:
    product: windows
    service: application
references:
    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
detection:
    keywords:
        - 'HTool-'
        - 'Hacktool'
        - 'ASP/Backdoor'
        - 'JSP/Backdoor'
        - 'PHP/Backdoor'
        - 'Backdoor.ASP'
        - 'Backdoor.JSP'
        - 'Backdoor.PHP'
        - 'Webshell'
        - 'Portscan'
        - 'Mimikatz'
        - '.WinCred.'  # . are needed to avoid false positives with many other strings
        - 'PlugX'
        - 'Korplug'
        - 'Pwdump'
        - 'Chopper'
        - 'WmiExec'
        - 'Xscan'
        - 'Clearlog'
        - 'ASPXSpy'
        - 'Ransom'
        - 'Filecoder'
        - 'CobaltStr'
        # Update 12.05.22
        - 'PWCrack'
        - 'DumpCreds'
        - 'MPreter'
        - 'Koadic'
        - 'Packed.Generic.347'
        - 'COBEACON'
        - 'Cometer'
        - 'Keylogger'
        - 'MeteTool'
    filter:
        - 'Keygen'
        - 'Crack'
        - 'anti_ransomware_service.exe'
        - 'cyber-protect-service.exe'
    filter_information:
        Level: 4  # Information level
    condition: keywords and not 1 of filter*
falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
tags:
    - attack.resource_development
    - attack.t1588