diff --git a/rules/category/antivirus/av_advanced_persistent_threat.yml b/rules/category/antivirus/av_advanced_persistent_threat.yml new file mode 100644 index 00000000000..9a86c73c8a8 --- /dev/null +++ b/rules/category/antivirus/av_advanced_persistent_threat.yml @@ -0,0 +1,85 @@ +title: Antivirus APT Malware +id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a +status: experimental +description: | + Detects a highly relevant Antivirus alert that reports APT malware. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. +references: + - https://www.nextron-systems.com/?s=antivirus +author: Arnim Rupp (Nextron Systems) +date: 2026-06-15 +tags: + - attack.execution + - attack.t1203 + - attack.command-and-control + - attack.t1219.002 +logsource: + category: antivirus +detection: + selection: + - Signature|re: + - 'APT\d' + - 'ATK\d' + - 'UNC\d' + - 'UAC\d' + - Signature|contains: + - "[APT]" + - 'APT_' + - 'APT-' + - 'BackOrder' + - 'BlindingCan' + - 'Blizzard' + - 'Chollima' + - 'Cleaver' + - 'Cobra' + - 'DarkHotel' + - 'Dragon' + - 'DTrack' + - 'Equation' + - 'GiftedCrook' + - 'GraphSteel' + - 'GreyEnergy' + - 'GEnergy' + - 'GrimPlant' + - 'Hydra' + - 'Jackal' + - 'Kitten' + - 'Kimsuky' + - 'Lazar' # Lazarus + - 'LightRail' + - 'Lotus' + - 'Luminous' + - 'LumiMoth' + - 'Nimbus' + - 'Manticore' + - 'MiniBike' + - 'MiniBrowse' + - 'MiniBus' + - 'MiniFast' + - 'MiniJuke' + - 'MiniUpdate' + - 'MuddyWater' + - 'NukeSped' + - 'OilRig' + - 'Panda' + - 'Sandstorm' + - 'SandWorm' + - 'Seamonkey' + - 'Sleet' + - 'SlugResin' + - 'SnailResin' + - 'Snake' + - 'Tempest' + - 'Tsunami' + - 'Turla' + - 'Typhoon' + - 'UAC_' + - 'UAC-' + - 'UNC_' + - 'UNC-' + - 'VinoSiren' + - 'Winnti' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index ab6e083e3e1..e884edfac19 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -11,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.execution - attack.t1203 @@ -22,11 +22,14 @@ logsource: detection: selection: Signature|contains: + - 'ATK/Cobalt' - 'Backdoor.Cobalt' + - 'Beacon' - 'Brutel' - 'BruteR' + - 'CbltStr' - 'CobaltStr' - - 'CobaltStrike' + - 'COBALT.SMD' - 'COBEACON' - 'Cometer' - 'Exploit.Script.CVE' diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 851c5a18bc1..9eade1bf0d7 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -9,7 +9,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021-08-16 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.execution - attack.t1204 @@ -28,12 +28,15 @@ detection: # - 'FRP.' - Signature|contains: - 'Adfind' + - 'BloodH' + - 'BloodyAD' - 'Brutel' - 'BruteR' - 'Cobalt' - 'COBEACON' - 'Cometer' - 'DumpCreds' + - 'EDRfreeze' - 'FastReverseProxy' - 'Hacktool' - 'Havoc' @@ -50,6 +53,7 @@ detection: - 'PSWTool' - 'PWCrack' - 'PWDump' + - 'Responder' - 'Rozena' - 'Rusthound' - 'Sbelt' @@ -62,8 +66,12 @@ detection: - 'Snaffler' - 'SOAPHound' - 'Splinter' + - 'Stowaway' - 'Swrort' + - 'Trojan.Hound' - 'TurtleLoader' + - 'Undefend' + - 'Undfnd' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index bbf4e861da8..84bb183df08 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -2,15 +2,15 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: stable description: | - Detects a highly relevant Antivirus alert that reports a password dumper. - This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. + Detects a highly relevant Antivirus alert that reports password dumpers and stealers. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.credential-access - attack.t1003 @@ -25,15 +25,19 @@ detection: - Signature|contains: - 'Certify' - 'DCSync' + - 'Creddump' - 'DumpCreds' - 'DumpLsass' - 'DumpPert' + - 'FormBook' - 'HTool/WCE' - 'Kekeo' - 'Lazagne' - 'LsassDump' + - 'Lummast' - 'Mimikatz' - 'MultiDump' + - 'Multiverze' - 'Nanodump' - 'NativeDump' - 'Outflank' @@ -53,7 +57,9 @@ detection: - 'SharpKatz' - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d - 'ShpKatz' + - 'Steal' - 'TrickDump' + - 'wsass' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index d7077d39062..164adf54f2a 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -14,7 +14,7 @@ references: - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022-05-12 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.t1486 - attack.impact @@ -23,12 +23,14 @@ logsource: detection: selection: Signature|contains: + - 'Babuk' + - 'Babyk' - 'BlackWorm' - 'Chaos' - 'Cobra' - 'ContiCrypt' - 'Crypter' - - 'CRYPTES' + - 'Cryptes' - 'Cryptor' - 'CylanCrypt' - 'DelShad' @@ -43,8 +45,10 @@ detection: - 'Lockbit' - 'Locker' - 'Mallox' + - 'Medusa' - 'Phobos' - 'Ransom' + - 'Rook' - 'Ryuk' - 'Ryzerlo' - 'Stopcrypt' diff --git a/rules/category/antivirus/av_remote_access_toolkit.yml b/rules/category/antivirus/av_remote_access_toolkit.yml new file mode 100644 index 00000000000..42ac6d40779 --- /dev/null +++ b/rules/category/antivirus/av_remote_access_toolkit.yml @@ -0,0 +1,71 @@ +title: Antivirus Remote Access Tools +id: 97233998-3838-4581-88c6-f1d19d3993fb +status: experimental +description: | + Detects a highly relevant Antivirus alert that reports a remote access tool. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. +references: + - https://www.nextron-systems.com/?s=antivirus + - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 +author: Arnim Rupp (Nextron Systems) +date: 2026-06-15 +tags: + - attack.execution + - attack.t1203 + - attack.command-and-control + - attack.t1219.002 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'AgentB' + - 'AgentTesla' + - 'AMRat' + - 'Ammyy' + - 'AsyncRAT' + - 'Bandook' + - 'Bitrat' + - 'Bladabindi' + - 'Connectwise' + - 'CyberGate' + - 'DarkComet' + - 'DCrat' + - 'Delf' + - 'DokStorm' + - 'Egairtigado' + - 'Gh0st' + - 'Gorat' + - 'GodRat' + - 'Jalapeno' + - 'LummaC2' + - 'Minirat' + - 'Netwire' + - 'NanoCore' + - 'NJRat' + - 'Paralax' + - 'PlugX' + - 'Pulsar' + - 'Quasar' + - 'Remcos' + - 'Ravartar' + - 'RemoteAdmin' + - 'RemoteTool' + - 'revengeRAT' + - 'rokRAT' + - 'salatstealer' + - 'Salgorea' + - 'SmokedHam' + - 'TigerRat' + - 'Tzeebot' + - 'WarZone' + - 'VenomRAT' + - 'Vidar' + - 'Wirenet' + - 'XWorm' + - 'Zapchast' + - 'Zegost' + condition: selection +falsepositives: + - Unlikely +level: critical