From 633cbe596ad52ac961630ff95bd0dacfec18bc27 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Mon, 22 Jun 2026 19:21:55 +0200 Subject: [PATCH 1/4] Add and update anti virus rules --- .../av_advanced_persistent_threat.yml | 85 +++++++++++++++++++ rules/category/antivirus/av_exploiting.yml | 7 +- rules/category/antivirus/av_hacktool.yml | 10 ++- .../category/antivirus/av_password_dumper.yml | 12 ++- rules/category/antivirus/av_ransomware.yml | 8 +- .../antivirus/av_remote_access_toolkit.yml | 71 ++++++++++++++++ 6 files changed, 185 insertions(+), 8 deletions(-) create mode 100644 rules/category/antivirus/av_advanced_persistent_threat.yml create mode 100644 rules/category/antivirus/av_remote_access_toolkit.yml diff --git a/rules/category/antivirus/av_advanced_persistent_threat.yml b/rules/category/antivirus/av_advanced_persistent_threat.yml new file mode 100644 index 00000000000..2679f301738 --- /dev/null +++ b/rules/category/antivirus/av_advanced_persistent_threat.yml @@ -0,0 +1,85 @@ +title: Antivirus APT Malware +id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a +status: test +description: | + Detects a highly relevant Antivirus alert that reports an APT malware + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. +references: + - https://www.nextron-systems.com/?s=antivirus +author: Arnim Rupp (Nextron Systems) +date: 2026-06-15 +tags: + - attack.execution + - attack.t1203 + - attack.command-and-control + - attack.t1219.002 +logsource: + category: antivirus +detection: + selection: + - Signature|re: + - 'APT\d' + - 'ATK\d' + - 'UNC\d' + - 'UAC\d' + - Signature|contains: + - '[APT]' + - 'APT_' + - 'APT-' + - 'BackOrder' + - 'BlindingCan' + - 'Blizzard' + - 'Chollima' + - 'Cleaver' + - 'Cobra' + - 'DarkHotel' + - 'Dragon' + - 'DTrack' + - 'Equation' + - 'GiftedCrook' + - 'GraphSteel' + - 'GreyEnergy' + - 'GEnergy' + - 'GrimPlant' + - 'Hydra' + - 'Jackal' + - 'Kitten' + - 'Kimsuky' + - 'Lazar' // Lazarus + - 'LightRail' + - 'Lotus' + - 'Luminous' + - 'LumiMoth' + - 'Nimbus' + - 'Manticore' + - 'MiniBike' + - 'MiniBrowse' + - 'MiniBus' + - 'MiniFast' + - 'MiniJuke' + - 'MiniUpdate' + - 'MuddyWater' + - 'NukeSped' + - 'OilRig' + - 'Panda' + - 'Sandstorm' + - 'SandWorm' + - 'Seamonkey' + - 'Sleet' + - 'SlugResin' + - 'SnailResin' + - 'Snake' + - 'Tempest' + - 'Tsunami' + - 'Turla' + - 'Typhoon' + - 'UAC_' + - 'UAC-' + - 'UNC_' + - 'UNC-' + - 'VinoSiren' + - 'Winnti' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index ab6e083e3e1..e884edfac19 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -11,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.execution - attack.t1203 @@ -22,11 +22,14 @@ logsource: detection: selection: Signature|contains: + - 'ATK/Cobalt' - 'Backdoor.Cobalt' + - 'Beacon' - 'Brutel' - 'BruteR' + - 'CbltStr' - 'CobaltStr' - - 'CobaltStrike' + - 'COBALT.SMD' - 'COBEACON' - 'Cometer' - 'Exploit.Script.CVE' diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 851c5a18bc1..9eade1bf0d7 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -9,7 +9,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021-08-16 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.execution - attack.t1204 @@ -28,12 +28,15 @@ detection: # - 'FRP.' - Signature|contains: - 'Adfind' + - 'BloodH' + - 'BloodyAD' - 'Brutel' - 'BruteR' - 'Cobalt' - 'COBEACON' - 'Cometer' - 'DumpCreds' + - 'EDRfreeze' - 'FastReverseProxy' - 'Hacktool' - 'Havoc' @@ -50,6 +53,7 @@ detection: - 'PSWTool' - 'PWCrack' - 'PWDump' + - 'Responder' - 'Rozena' - 'Rusthound' - 'Sbelt' @@ -62,8 +66,12 @@ detection: - 'Snaffler' - 'SOAPHound' - 'Splinter' + - 'Stowaway' - 'Swrort' + - 'Trojan.Hound' - 'TurtleLoader' + - 'Undefend' + - 'Undfnd' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index bbf4e861da8..7da01e1530d 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -2,15 +2,15 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: stable description: | - Detects a highly relevant Antivirus alert that reports a password dumper. - This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. + Detects a highly relevant Antivirus alert that reports a password dumpers and stealers + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.credential-access - attack.t1003 @@ -25,15 +25,19 @@ detection: - Signature|contains: - 'Certify' - 'DCSync' + - 'Creddump' - 'DumpCreds' - 'DumpLsass' - 'DumpPert' + - 'FormBook' - 'HTool/WCE' - 'Kekeo' - 'Lazagne' - 'LsassDump' + - 'Lummast' - 'Mimikatz' - 'MultiDump' + - 'Multiverze' - 'Nanodump' - 'NativeDump' - 'Outflank' @@ -53,7 +57,9 @@ detection: - 'SharpKatz' - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d - 'ShpKatz' + - 'Steal' - 'TrickDump' + - 'wsass' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index d7077d39062..164adf54f2a 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -14,7 +14,7 @@ references: - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022-05-12 -modified: 2024-11-02 +modified: 2026-06-15 tags: - attack.t1486 - attack.impact @@ -23,12 +23,14 @@ logsource: detection: selection: Signature|contains: + - 'Babuk' + - 'Babyk' - 'BlackWorm' - 'Chaos' - 'Cobra' - 'ContiCrypt' - 'Crypter' - - 'CRYPTES' + - 'Cryptes' - 'Cryptor' - 'CylanCrypt' - 'DelShad' @@ -43,8 +45,10 @@ detection: - 'Lockbit' - 'Locker' - 'Mallox' + - 'Medusa' - 'Phobos' - 'Ransom' + - 'Rook' - 'Ryuk' - 'Ryzerlo' - 'Stopcrypt' diff --git a/rules/category/antivirus/av_remote_access_toolkit.yml b/rules/category/antivirus/av_remote_access_toolkit.yml new file mode 100644 index 00000000000..3c32d98c462 --- /dev/null +++ b/rules/category/antivirus/av_remote_access_toolkit.yml @@ -0,0 +1,71 @@ +title: Antivirus Remote Access Tools +id: 97233998-3838-4581-88c6-f1d19d3993fb +status: test +description: | + Detects a highly relevant Antivirus alert that reports a remote access tool + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. +references: + - https://www.nextron-systems.com/?s=antivirus + - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 +author: Arnim Rupp (Nextron Systems) +date: 2026-06-15 +tags: + - attack.execution + - attack.t1203 + - attack.command-and-control + - attack.t1219.002 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'AgentB' + - 'AgentTesla' + - 'AMRat' + - 'Ammyy' + - 'AsyncRAT' + - 'Bandook' + - 'Bitrat' + - 'Bladabindi' + - 'Connectwise' + - 'CyberGate' + - 'DarkComet' + - 'DCrat' + - 'Delf' + - 'DokStorm' + - 'Egairtigado' + - 'Gh0st' + - 'Gorat' + - 'GodRat' + - 'Jalapeno' + - 'LummaC2' + - 'Minirat' + - 'Netwire' + - 'NanoCore' + - 'NJRat' + - 'Paralax' + - 'PlugX' + - 'Pulsar' + - 'Quasar' + - 'Remcos' + - 'Ravartar' + - 'RemoteAdmin' + - 'RemoteTool' + - 'revengeRAT' + - 'rokRAT' + - 'salatstealer' + - 'Salgorea' + - 'SmokedHam' + - 'TigerRat' + - 'Tzeebot' + - 'WarZone' + - 'VenomRAT' + - 'Vidar' + - 'Wirenet' + - 'XWorm' + - 'Zapchast' + - 'Zegost' + condition: selection +falsepositives: + - Unlikely +level: critical From 837df97f15607f059cd6a826a0d23721a44f69f0 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Mon, 22 Jun 2026 19:43:03 +0200 Subject: [PATCH 2/4] Update av_advanced_persistent_threat.yml fix format --- rules/category/antivirus/av_advanced_persistent_threat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/category/antivirus/av_advanced_persistent_threat.yml b/rules/category/antivirus/av_advanced_persistent_threat.yml index 2679f301738..8dccce9e2e6 100644 --- a/rules/category/antivirus/av_advanced_persistent_threat.yml +++ b/rules/category/antivirus/av_advanced_persistent_threat.yml @@ -23,7 +23,7 @@ detection: - 'UNC\d' - 'UAC\d' - Signature|contains: - - '[APT]' + - "[APT]" - 'APT_' - 'APT-' - 'BackOrder' @@ -45,7 +45,7 @@ detection: - 'Jackal' - 'Kitten' - 'Kimsuky' - - 'Lazar' // Lazarus + - 'Lazar' # Lazarus - 'LightRail' - 'Lotus' - 'Luminous' From 85187f5343558cd1e457e5c49520429ce44e5b02 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Mon, 22 Jun 2026 21:13:31 +0200 Subject: [PATCH 3/4] reduce status --- rules/category/antivirus/av_advanced_persistent_threat.yml | 2 +- rules/category/antivirus/av_remote_access_toolkit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/category/antivirus/av_advanced_persistent_threat.yml b/rules/category/antivirus/av_advanced_persistent_threat.yml index 8dccce9e2e6..d0b49143792 100644 --- a/rules/category/antivirus/av_advanced_persistent_threat.yml +++ b/rules/category/antivirus/av_advanced_persistent_threat.yml @@ -1,6 +1,6 @@ title: Antivirus APT Malware id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a -status: test +status: experimental description: | Detects a highly relevant Antivirus alert that reports an APT malware This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. diff --git a/rules/category/antivirus/av_remote_access_toolkit.yml b/rules/category/antivirus/av_remote_access_toolkit.yml index 3c32d98c462..8f93aa12238 100644 --- a/rules/category/antivirus/av_remote_access_toolkit.yml +++ b/rules/category/antivirus/av_remote_access_toolkit.yml @@ -1,6 +1,6 @@ title: Antivirus Remote Access Tools id: 97233998-3838-4581-88c6-f1d19d3993fb -status: test +status: experimental description: | Detects a highly relevant Antivirus alert that reports a remote access tool This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. From e56d93012097c78a90a54a8e861c57baf0f904a1 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Tue, 23 Jun 2026 08:31:01 +0545 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- rules/category/antivirus/av_advanced_persistent_threat.yml | 2 +- rules/category/antivirus/av_password_dumper.yml | 2 +- rules/category/antivirus/av_remote_access_toolkit.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/category/antivirus/av_advanced_persistent_threat.yml b/rules/category/antivirus/av_advanced_persistent_threat.yml index d0b49143792..9a86c73c8a8 100644 --- a/rules/category/antivirus/av_advanced_persistent_threat.yml +++ b/rules/category/antivirus/av_advanced_persistent_threat.yml @@ -2,7 +2,7 @@ title: Antivirus APT Malware id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a status: experimental description: | - Detects a highly relevant Antivirus alert that reports an APT malware + Detects a highly relevant Antivirus alert that reports APT malware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index 7da01e1530d..84bb183df08 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -2,7 +2,7 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: stable description: | - Detects a highly relevant Antivirus alert that reports a password dumpers and stealers + Detects a highly relevant Antivirus alert that reports password dumpers and stealers. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset. references: - https://www.nextron-systems.com/?s=antivirus diff --git a/rules/category/antivirus/av_remote_access_toolkit.yml b/rules/category/antivirus/av_remote_access_toolkit.yml index 8f93aa12238..42ac6d40779 100644 --- a/rules/category/antivirus/av_remote_access_toolkit.yml +++ b/rules/category/antivirus/av_remote_access_toolkit.yml @@ -2,7 +2,7 @@ title: Antivirus Remote Access Tools id: 97233998-3838-4581-88c6-f1d19d3993fb status: experimental description: | - Detects a highly relevant Antivirus alert that reports a remote access tool + Detects a highly relevant Antivirus alert that reports a remote access tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus