Skip to content

Add and update anti virus rules #6075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ruppde wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add and update anti virus rules #6075

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
633cbe5
Add and update anti virus rules
ruppde Jun 22, 2026
837df97
Update av_advanced_persistent_threat.yml
ruppde Jun 22, 2026
85187f5
reduce status
ruppde Jun 22, 2026
e56d930
Apply suggestions from code review
swachchhanda000 Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions rules/category/antivirus/av_advanced_persistent_threat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
title: Antivirus APT Malware
id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a
status: experimental
description: |
Detects a highly relevant Antivirus alert that reports APT malware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Arnim Rupp (Nextron Systems)
date: 2026-06-15
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
- Signature|re:
- 'APT\d'
- 'ATK\d'
- 'UNC\d'
- 'UAC\d'
- Signature|contains:
- "[APT]"
- 'APT_'
- 'APT-'
- 'BackOrder'
- 'BlindingCan'
- 'Blizzard'
- 'Chollima'
- 'Cleaver'
- 'Cobra'
- 'DarkHotel'
- 'Dragon'
- 'DTrack'
- 'Equation'
- 'GiftedCrook'
- 'GraphSteel'
- 'GreyEnergy'
- 'GEnergy'
- 'GrimPlant'
- 'Hydra'
- 'Jackal'
- 'Kitten'
- 'Kimsuky'
- 'Lazar' # Lazarus
- 'LightRail'
- 'Lotus'
- 'Luminous'
- 'LumiMoth'
- 'Nimbus'
- 'Manticore'
- 'MiniBike'
- 'MiniBrowse'
- 'MiniBus'
- 'MiniFast'
- 'MiniJuke'
- 'MiniUpdate'
- 'MuddyWater'
- 'NukeSped'
- 'OilRig'
- 'Panda'
- 'Sandstorm'
- 'SandWorm'
- 'Seamonkey'
- 'Sleet'
- 'SlugResin'
- 'SnailResin'
- 'Snake'
- 'Tempest'
- 'Tsunami'
- 'Turla'
- 'Typhoon'
- 'UAC_'
- 'UAC-'
- 'UNC_'
- 'UNC-'
- 'VinoSiren'
- 'Winnti'
condition: selection
falsepositives:
- Unlikely
level: critical
7 changes: 5 additions & 2 deletions rules/category/antivirus/av_exploiting.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ references:
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
modified: 2026-06-15
tags:
- attack.execution
- attack.t1203
Expand All @@ -22,11 +22,14 @@ logsource:
detection:
selection:
Signature|contains:
- 'ATK/Cobalt'
- 'Backdoor.Cobalt'
- 'Beacon'
- 'Brutel'
- 'BruteR'
- 'CbltStr'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBALT.SMD'
- 'COBEACON'
Comment thread
swachchhanda000 marked this conversation as resolved.
- 'Cometer'
- 'Exploit.Script.CVE'
Expand Down
10 changes: 9 additions & 1 deletion rules/category/antivirus/av_hacktool.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
modified: 2026-06-15
tags:
- attack.execution
- attack.t1204
Expand All @@ -28,12 +28,15 @@ detection:
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'BloodH'
- 'BloodyAD'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'EDRfreeze'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
Expand All @@ -50,6 +53,7 @@ detection:
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Responder'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
Expand All @@ -62,8 +66,12 @@ detection:
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Stowaway'
- 'Swrort'
- 'Trojan.Hound'
- 'TurtleLoader'
- 'Undefend'
- 'Undfnd'
condition: selection
falsepositives:
- Unlikely
Expand Down
12 changes: 9 additions & 3 deletions rules/category/antivirus/av_password_dumper.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@ title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Detects a highly relevant Antivirus alert that reports password dumpers and stealers.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place and check if passwords need to be reset.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
modified: 2026-06-15
tags:
- attack.credential-access
- attack.t1003
Expand All @@ -25,15 +25,19 @@ detection:
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'Creddump'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'FormBook'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Lummast'
- 'Mimikatz'
- 'MultiDump'
- 'Multiverze'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
Expand All @@ -53,7 +57,9 @@ detection:
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'Steal'
- 'TrickDump'
- 'wsass'
condition: selection
falsepositives:
- Unlikely
Expand Down
8 changes: 6 additions & 2 deletions rules/category/antivirus/av_ransomware.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ references:
- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
modified: 2026-06-15
tags:
- attack.t1486
- attack.impact
Expand All @@ -23,12 +23,14 @@ logsource:
detection:
selection:
Signature|contains:
- 'Babuk'
- 'Babyk'
- 'BlackWorm'
- 'Chaos'
- 'Cobra'
- 'ContiCrypt'
- 'Crypter'
- 'CRYPTES'
- 'Cryptes'
- 'Cryptor'
- 'CylanCrypt'
- 'DelShad'
Expand All @@ -43,8 +45,10 @@ detection:
- 'Lockbit'
- 'Locker'
- 'Mallox'
- 'Medusa'
- 'Phobos'
- 'Ransom'
- 'Rook'
- 'Ryuk'
- 'Ryzerlo'
- 'Stopcrypt'
Expand Down
71 changes: 71 additions & 0 deletions rules/category/antivirus/av_remote_access_toolkit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
title: Antivirus Remote Access Tools
id: 97233998-3838-4581-88c6-f1d19d3993fb
status: experimental
description: |
Detects a highly relevant Antivirus alert that reports a remote access tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Arnim Rupp (Nextron Systems)
date: 2026-06-15
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'AgentB'
- 'AgentTesla'
- 'AMRat'
- 'Ammyy'
- 'AsyncRAT'
- 'Bandook'
- 'Bitrat'
- 'Bladabindi'
- 'Connectwise'
- 'CyberGate'
- 'DarkComet'
- 'DCrat'
- 'Delf'
- 'DokStorm'
- 'Egairtigado'
- 'Gh0st'
- 'Gorat'
- 'GodRat'
- 'Jalapeno'
- 'LummaC2'
- 'Minirat'
- 'Netwire'
- 'NanoCore'
- 'NJRat'
- 'Paralax'
- 'PlugX'
- 'Pulsar'
- 'Quasar'
- 'Remcos'
- 'Ravartar'
- 'RemoteAdmin'
- 'RemoteTool'
- 'revengeRAT'
- 'rokRAT'
- 'salatstealer'
- 'Salgorea'
- 'SmokedHam'
- 'TigerRat'
- 'Tzeebot'
- 'WarZone'
- 'VenomRAT'
- 'Vidar'
- 'Wirenet'
- 'XWorm'
- 'Zapchast'
- 'Zegost'
condition: selection
falsepositives:
- Unlikely
level: critical
Loading