EXPLORE
Sign In
← Back to Explore
sigmahighTTP

Antivirus Hacktool Detection

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

MITRE ATT&CK

T1204
execution

Detection Query

selection:
  - Signature|startswith:
      - ATK/
      - Exploit.Script.CVE
      - HKTL
      - HTOOL
      - PWS.
      - PWSX
      - SecurityTool
  - Signature|contains:
      - Adfind
      - Brutel
      - BruteR
      - Cobalt
      - COBEACON
      - Cometer
      - DumpCreds
      - FastReverseProxy
      - Hacktool
      - Havoc
      - Impacket
      - Keylogger
      - Koadic
      - Mimikatz
      - Nighthawk
      - PentestPowerShell
      - Potato
      - PowerSploit
      - PowerSSH
      - PshlSpy
      - PSWTool
      - PWCrack
      - PWDump
      - Rozena
      - Rusthound
      - Sbelt
      - Seatbelt
      - SecurityTool
      - SharpDump
      - SharpHound
      - Shellcode
      - Sliver
      - Snaffler
      - SOAPHound
      - Splinter
      - Swrort
      - TurtleLoader
condition: selection

Author

Florian Roth (Nextron Systems), Arnim Rupp

Created

2021-08-16

Data Sources

antivirus

References

Tags

attack.executionattack.t1204
Raw Content
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
              - 'ATK/'  # Sophos
              - 'Exploit.Script.CVE'
              - 'HKTL'
              - 'HTOOL'
              - 'PWS.'
              - 'PWSX'
              - 'SecurityTool'
              # - 'FRP.'
        - Signature|contains:
              - 'Adfind'
              - 'Brutel'
              - 'BruteR'
              - 'Cobalt'
              - 'COBEACON'
              - 'Cometer'
              - 'DumpCreds'
              - 'FastReverseProxy'
              - 'Hacktool'
              - 'Havoc'
              - 'Impacket'
              - 'Keylogger'
              - 'Koadic'
              - 'Mimikatz'
              - 'Nighthawk'
              - 'PentestPowerShell'
              - 'Potato'
              - 'PowerSploit'
              - 'PowerSSH'
              - 'PshlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'Rozena'
              - 'Rusthound'
              - 'Sbelt'
              - 'Seatbelt'
              - 'SecurityTool'
              - 'SharpDump'
              - 'SharpHound'
              - 'Shellcode'
              - 'Sliver'
              - 'Snaffler'
              - 'SOAPHound'
              - 'Splinter'
              - 'Swrort'
              - 'TurtleLoader'
    condition: selection
falsepositives:
    - Unlikely
level: high