EXPLORE
Sign In
← Back to Explore
sigmacriticalTTP

Antivirus Exploitation Framework Detection

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

MITRE ATT&CK

T1203T1219.002
executioncommand-and-control

Detection Query

selection:
  Signature|contains:
    - Backdoor.Cobalt
    - Brutel
    - BruteR
    - CobaltStr
    - CobaltStrike
    - COBEACON
    - Cometer
    - Exploit.Script.CVE
    - IISExchgSpawnCMD
    - Metasploit
    - Meterpreter
    - MeteTool
    - Mpreter
    - MsfShell
    - PowerSploit
    - Razy
    - Rozena
    - Sbelt
    - Seatbelt
    - Sliver
    - Swrort
condition: selection

Author

Florian Roth (Nextron Systems), Arnim Rupp

Created

2018-09-09

Data Sources

antivirus

References

Tags

attack.executionattack.t1203attack.command-and-controlattack.t1219.002
Raw Content
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports an exploitation framework.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1203
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: antivirus
detection:
    selection:
        Signature|contains:
            - 'Backdoor.Cobalt'
            - 'Brutel'
            - 'BruteR'
            - 'CobaltStr'
            - 'CobaltStrike'
            - 'COBEACON'
            - 'Cometer'
            - 'Exploit.Script.CVE'
            - 'IISExchgSpawnCMD'
            - 'Metasploit'
            - 'Meterpreter'
            - 'MeteTool'
            - 'Mpreter'
            - 'MsfShell'
            - 'PowerSploit'
            - 'Razy'
            - 'Rozena'
            - 'Sbelt'
            - 'Seatbelt'
            - 'Sliver'
            - 'Swrort'
    condition: selection
falsepositives:
    - Unlikely
level: critical