Sigma rules for CVE-2020-15024
8 rules · scoped to cve · back to CVE-2020-15024
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: |
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
- https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
- https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
tags:
- attack.t1486
- attack.impact
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'BlackWorm'
- 'Chaos'
- 'Cobra'
- 'ContiCrypt'
- 'Crypter'
- 'CRYPTES'
- 'Cryptor'
- 'CylanCrypt'
- 'DelShad'
- 'Destructor'
- 'Filecoder'
- 'GandCrab'
- 'GrandCrab'
- 'Haperlock'
- 'Hiddentear'
- 'HydraCrypt'
- 'Krypt'
- 'Lockbit'
- 'Locker'
- 'Mallox'
- 'Phobos'
- 'Ransom'
- 'Ryuk'
- 'Ryzerlo'
- 'Stopcrypt'
- 'Tescrypt'
- 'TeslaCrypt'
- 'WannaCry'
- 'Xorist'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
- https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ASP.'
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'JSP.'
- 'Perl.'
- 'PHP.'
- 'Troj/ASP'
- 'Troj/JSP'
- 'Troj/PHP'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
- Signature|contains:
- 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
- 'ASP:'
- 'ASP.Agent'
- 'ASP/'
# - 'ASP/Agent'
- 'Aspdoor'
- 'ASPXSpy'
- 'Backdoor.ASP'
- 'Backdoor.Java'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Backdoor.VBS'
- 'Backdoor/ASP'
- 'Backdoor/Java'
- 'Backdoor/JSP'
- 'Backdoor/PHP'
- 'Backdoor/VBS'
- 'C99shell'
- 'Chopper'
- 'filebrowser'
- 'JSP_'
- 'JSP:'
- 'JSP.Agent'
- 'JSP/'
# - 'JSP/Agent'
- 'Perl:'
- 'Perl/'
- 'PHP_'
- 'PHP:'
- 'PHP.Agent'
- 'PHP/'
# - 'PHP/Agent'
- 'PHPShell'
- 'PShlSpy'
- 'SinoChoper'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.PHP'
- 'Trojan.VBS'
- 'VBS.Agent'
- 'VBS/Agent'
- 'Webshell'
condition: selection
falsepositives:
- Unlikely
level: high
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
- 'PWS.'
- 'PWSX'
- 'SecurityTool'
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
condition: selection
falsepositives:
- Unlikely
level: high
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
- https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
ImageLoaded:
- 'C:\Program Files\AVAST Software\Avast\log.dll'
- 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
ImageLoaded:
- 'C:\Program Files\AVG\Antivirus\log.dll'
- 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
# Avast
selection_avast:
ImageLoaded|endswith: '\wsc.dll'
filter_wsc_dll_avast:
ImageLoaded|startswith:
- 'C:\program Files\AVAST Software\Avast\'
- 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
ImageLoaded|startswith:
- 'C:\Program Files\AVG\Antivirus\'
- 'C:\Program Files (x86)\AVG\Antivirus\'
# ESET
selection_eset_deslock:
ImageLoaded|endswith: '\DLPPREM32.dll'
filter_eset_deslock:
ImageLoaded|startswith:
- 'C:\program Files\ESET'
- 'C:\program Files (x86)\ESET'
# Trend Micro Titanium
selection_titanium:
ImageLoaded|endswith: '\tmdbglog.dll'
filter_titanium:
ImageLoaded|startswith:
- 'C:\program Files\Trend Micro\Titanium\'
- 'C:\program Files (x86)\Trend Micro\Titanium\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*)
or (selection_fsecure and not filter_fsecure)
or (selection_mcafee and not filter_mcafee)
or (selection_cyberark and not filter_cyberark)
or (selection_avast and not 1 of filter_wsc_dll_*)
or (selection_titanium and not filter_titanium)
or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
- Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
- Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
- The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium