- title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
description: Detects an Antivirus alert in a highly relevant file path or with a
relevant file name
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
logsource:
product: antivirus
service: null
category: null
detection:
selection:
FileName:
- C:\Windows\Temp\\*
- C:\Temp\\*
- '*\\Client\\*'
- C:\PerfLogs\\*
- C:\Users\Public\\*
- C:\Users\Default\\*
- '*.ps1'
- '*.vbs'
- '*.bat'
- '*.chm'
- '*.xml'
- '*.txt'
- '*.jsp'
- '*.jspx'
- '*.asp'
- '*.aspx'
- '*.php'
- '*.war'
- '*.hta'
- '*.lnk'
- '*.scf'
- '*.sct'
- '*.vbe'
- '*.wsf'
- '*.wsh'
condition: selection
fields:
- Signature
- User
falsepositives:
- Unlikely
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='file_name.keyword:(C\:\\Windows\\Temp\\* OR C\:\\Temp\\* OR *\\Client\\* OR C\:\\PerfLogs\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()