- title: Relevant Anti-Virus Event
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
logsource:
product: windows
service: application
category: null
detection:
keywords:
Message:
- '*HTool*'
- '*Hacktool*'
- '*ASP/Backdoor*'
- '*JSP/Backdoor*'
- '*PHP/Backdoor*'
- '*Backdoor.ASP*'
- '*Backdoor.JSP*'
- '*Backdoor.PHP*'
- '*Webshell*'
- '*Portscan*'
- '*Mimikatz*'
- '*WinCred*'
- '*PlugX*'
- '*Korplug*'
- '*Pwdump*'
- '*Chopper*'
- '*WmiExec*'
- '*Xscan*'
- '*Clearlog*'
- '*ASPXSpy*'
filters:
Message:
- '*Keygen*'
- '*Crack*'
condition: keywords and not 1 of filters
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-application-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\/Backdoor* OR *JSP\/Backdoor* OR *PHP\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()