Relevant Anti-Virus Event


This detection method points out highly relevant Antivirus events.

  • QRadar AQL
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and ("Message" ilike '%HTool%' or "Message" ilike '%Hacktool%' or "Message" ilike '%ASP/Backdoor%' or "Message" ilike '%JSP/Backdoor%' or "Message" ilike '%PHP/Backdoor%' or "Message" ilike '%Backdoor.ASP%' or "Message" ilike '%Backdoor.JSP%' or "Message" ilike '%Backdoor.PHP%' or "Message" ilike '%Webshell%' or "Message" ilike '%Portscan%' or "Message" ilike '%Mimikatz%' or "Message" ilike '%WinCred%' or "Message" ilike '%PlugX%' or "Message" ilike '%Korplug%' or "Message" ilike '%Pwdump%' or "Message" ilike '%Chopper%' or "Message" ilike '%WmiExec%' or "Message" ilike '%Xscan%' or "Message" ilike '%Clearlog%' or "Message" ilike '%ASPXSpy%') and not (("Message" ilike '%Keygen%' or "Message" ilike '%Crack%')))
  • Splunk
(source="WinEventLog:Application" (Message="*HTool*" OR Message="*Hacktool*" OR Message="*ASP/Backdoor*" OR Message="*JSP/Backdoor*" OR Message="*PHP/Backdoor*" OR Message="*Backdoor.ASP*" OR Message="*Backdoor.JSP*" OR Message="*Backdoor.PHP*" OR Message="*Webshell*" OR Message="*Portscan*" OR Message="*Mimikatz*" OR Message="*WinCred*" OR Message="*PlugX*" OR Message="*Korplug*" OR Message="*Pwdump*" OR Message="*Chopper*" OR Message="*WmiExec*" OR Message="*Xscan*" OR Message="*Clearlog*" OR Message="*ASPXSpy*") NOT ((Message="*Keygen*" OR Message="*Crack*")))
  • Elastic Query
(winlog.channel:Application AND Message:(HTool OR Hacktool OR ASP\/Backdoor OR JSP\/Backdoor OR PHP\/Backdoor OR Backdoor.ASP OR Backdoor.JSP OR Backdoor.PHP OR Webshell OR Portscan OR Mimikatz OR WinCred OR PlugX OR Korplug OR Pwdump OR Chopper OR WmiExec OR Xscan OR Clearlog OR ASPXSpy) AND (NOT (Message:(Keygen OR Crack))))
  • EDR Carbon Black
(Message:HTool* OR Message:Hacktool* OR Message:ASP/Backdoor* OR Message:JSP/Backdoor* OR Message:PHP/Backdoor* OR Message:Backdoor.ASP* OR Message:Backdoor.JSP* OR Message:Backdoor.PHP* OR Message:Webshell* OR Message:Portscan* OR Message:Mimikatz* OR Message:WinCred* OR Message:PlugX* OR Message:Korplug* OR Message:Pwdump* OR Message:Chopper* OR Message:WmiExec* OR Message:Xscan* OR Message:Clearlog* OR Message:ASPXSpy* AND ( -(Message:Keygen* OR Message:Crack*)))
  • Windows PowerShell
Get-WinEvent -LogName Application | where {(($_.message -match "Message..HTool." -or $_.message -match "Message..Hacktool." -or $_.message -match "Message..ASP/Backdoor." -or $_.message -match "Message..JSP/Backdoor." -or $_.message -match "Message..PHP/Backdoor." -or $_.message -match "Message..Backdoor.ASP." -or $_.message -match "Message..Backdoor.JSP." -or $_.message -match "Message..Backdoor.PHP." -or $_.message -match "Message..Webshell." -or $_.message -match "Message..Portscan." -or $_.message -match "Message..Mimikatz." -or $_.message -match "Message..WinCred." -or $_.message -match "Message..PlugX." -or $_.message -match "Message..Korplug." -or $_.message -match "Message..Pwdump." -or $_.message -match "Message..Chopper." -or $_.message -match "Message..WmiExec." -or $_.message -match "Message..Xscan." -or $_.message -match "Message..Clearlog." -or $_.message -match "Message..ASPXSpy.") -and -not (($_.message -match "Message..Keygen." -or $_.message -match "Message..Crack."))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • RegEx

Leave a Reply

Your email address will not be published.