Sigma rules for CVE-2006-5645
2 rules · scoped to cve · back to CVE-2006-5645
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
- attack.resource-development
- attack.t1588
logsource:
product: windows
service: application
detection:
keywords:
- 'Adfind'
- 'ASP/BackDoor '
- 'ATK/'
- 'Backdoor.ASP'
- 'Backdoor.Cobalt'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Blackworm'
- 'Brutel'
- 'BruteR'
- 'Chopper'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'CRYPTES'
- 'Cryptor'
- 'Destructor'
- 'DumpCreds'
- 'Exploit.Script.CVE'
- 'FastReverseProxy'
- 'Filecoder'
- 'GrandCrab '
- 'HackTool'
- 'HKTL'
- 'HTool-'
- '/HTool'
- '.HTool'
- 'IISExchgSpawnCMD'
- 'Impacket'
- 'JSP/BackDoor '
- 'Keylogger'
- 'Koadic'
- 'Krypt'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'mikatz'
- 'Mimikatz'
- 'Mpreter'
- 'MsfShell'
- 'Nighthawk'
- 'Packed.Generic.347'
- 'PentestPowerShell'
- 'Phobos'
- 'PHP/BackDoor '
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Ransom'
- 'Rozena'
- 'Ryzerlo'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool '
- 'SharpDump'
- 'Shellcode'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Tescrypt'
- 'TeslaCrypt'
- 'TurtleLoader'
- 'Valyria'
- 'Webshell'
# - 'FRP.'
# - 'Locker'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
filter_optional_generic:
- 'anti_ransomware_service.exe'
- 'Anti-Ransomware'
- 'Crack'
- 'cyber-protect-service.exe'
- 'encryptor'
- 'Keygen'
filter_optional_information:
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: 'Microsoft-Windows-RestartManager'
condition: keywords and not 1 of filter_optional_*
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high