Copy regular expressions to a single click

Relevant Anti-Virus Event

This detection method points out highly relevant Antivirus events.

# QRadar AQL

SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and ("Message" ilike '%HTool%' or "Message" ilike '%Hacktool%' or "Message" ilike '%ASP/Backdoor%' or "Message" ilike '%JSP/Backdoor%' or "Message" ilike '%PHP/Backdoor%' or "Message" ilike '%Backdoor.ASP%' or "Message" ilike '%Backdoor.JSP%' or "Message" ilike '%Backdoor.PHP%' or "Message" ilike '%Webshell%' or "Message" ilike '%Portscan%' or "Message" ilike '%Mimikatz%' or "Message" ilike '%WinCred%' or "Message" ilike '%PlugX%' or "Message" ilike '%Korplug%' or "Message" ilike '%Pwdump%' or "Message" ilike '%Chopper%' or "Message" ilike '%WmiExec%' or "Message" ilike '%Xscan%' or "Message" ilike '%Clearlog%' or "Message" ilike '%ASPXSpy%') and not (("Message" ilike '%Keygen%' or "Message" ilike '%Crack%')))

# Splunk

(source="WinEventLog:Application" (Message="*HTool*" OR Message="*Hacktool*" OR Message="*ASP/Backdoor*" OR Message="*JSP/Backdoor*" OR Message="*PHP/Backdoor*" OR Message="*Backdoor.ASP*" OR Message="*Backdoor.JSP*" OR Message="*Backdoor.PHP*" OR Message="*Webshell*" OR Message="*Portscan*" OR Message="*Mimikatz*" OR Message="*WinCred*" OR Message="*PlugX*" OR Message="*Korplug*" OR Message="*Pwdump*" OR Message="*Chopper*" OR Message="*WmiExec*" OR Message="*Xscan*" OR Message="*Clearlog*" OR Message="*ASPXSpy*") NOT ((Message="*Keygen*" OR Message="*Crack*")))

# Elastic Query

(winlog.channel:Application AND Message:(HTool OR Hacktool OR ASP\/Backdoor OR JSP\/Backdoor OR PHP\/Backdoor OR Backdoor.ASP OR Backdoor.JSP OR Backdoor.PHP OR Webshell OR Portscan OR Mimikatz OR WinCred OR PlugX OR Korplug OR Pwdump OR Chopper OR WmiExec OR Xscan OR Clearlog OR ASPXSpy) AND (NOT (Message:(Keygen OR Crack))))

# EDR Carbon Black

(Message:HTool* OR Message:Hacktool* OR Message:ASP/Backdoor* OR Message:JSP/Backdoor* OR Message:PHP/Backdoor* OR Message:Backdoor.ASP* OR Message:Backdoor.JSP* OR Message:Backdoor.PHP* OR Message:Webshell* OR Message:Portscan* OR Message:Mimikatz* OR Message:WinCred* OR Message:PlugX* OR Message:Korplug* OR Message:Pwdump* OR Message:Chopper* OR Message:WmiExec* OR Message:Xscan* OR Message:Clearlog* OR Message:ASPXSpy* AND ( -(Message:Keygen* OR Message:Crack*)))

# Windows PowerShell

Get-WinEvent -LogName Application | where {(($_.message -match "Message..HTool." -or $_.message -match "Message..Hacktool." -or $_.message -match "Message..ASP/Backdoor." -or $_.message -match "Message..JSP/Backdoor." -or $_.message -match "Message..PHP/Backdoor." -or $_.message -match "Message..Backdoor.ASP." -or $_.message -match "Message..Backdoor.JSP." -or $_.message -match "Message..Backdoor.PHP." -or $_.message -match "Message..Webshell." -or $_.message -match "Message..Portscan." -or $_.message -match "Message..Mimikatz." -or $_.message -match "Message..WinCred." -or $_.message -match "Message..PlugX." -or $_.message -match "Message..Korplug." -or $_.message -match "Message..Pwdump." -or $_.message -match "Message..Chopper." -or $_.message -match "Message..WmiExec." -or $_.message -match "Message..Xscan." -or $_.message -match "Message..Clearlog." -or $_.message -match "Message..ASPXSpy.") -and -not (($_.message -match "Message..Keygen." -or $_.message -match "Message..Crack."))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

# RegEx

^(?:.(?=.(?:..HTool.|..Hacktool.|..ASP/Backdoor.|..JSP/Backdoor.|..PHP/Backdoor.|..Backdoor.ASP.|..Backdoor.JSP.|..Backdoor.PHP.|..Webshell.|..Portscan.|..Mimikatz.|..WinCred.|..PlugX.|..Korplug.|..Pwdump.|..Chopper.|..WmiExec.|..Xscan.|..Clearlog.|..ASPXSpy.))(?=.(?!.(?:.(?=.(?:..Keygen.|..Crack.))))))