Antivirus - APT Malware Signature
Detects a highly relevant Antivirus alert that reports APT malware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Sigma rule (View on GitHub)
1title: Antivirus - APT Malware Signature
2id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a
3status: experimental
4description: |
5 Detects a highly relevant Antivirus alert that reports APT malware.
6 This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
7references:
8 - https://www.nextron-systems.com/?s=antivirus
9author: Arnim Rupp (Nextron Systems)
10date: 2026-06-15
11tags:
12 - attack.execution
13 - attack.t1203
14 - attack.command-and-control
15 - attack.t1219.002
16logsource:
17 category: antivirus
18detection:
19 selection:
20 - Signature|re:
21 - 'APT\d'
22 - 'ATK\d'
23 - 'UNC\d'
24 - 'UAC\d'
25 - Signature|contains:
26 - "[APT]"
27 - 'APT_'
28 - 'APT-'
29 - 'BackOrder'
30 - 'BlindingCan'
31 - 'Blizzard'
32 - 'Chollima'
33 - 'Cleaver'
34 - 'Cobra'
35 - 'DarkHotel'
36 - 'Dragon'
37 - 'DTrack'
38 - 'Equation'
39 - 'GiftedCrook'
40 - 'GraphSteel'
41 - 'GreyEnergy'
42 - 'GEnergy'
43 - 'GrimPlant'
44 - 'Hydra'
45 - 'Jackal'
46 - 'Kitten'
47 - 'Kimsuky'
48 - 'Lazar' # Lazarus
49 - 'LightRail'
50 - 'Lotus'
51 - 'Luminous'
52 - 'LumiMoth'
53 - 'Nimbus'
54 - 'Manticore'
55 - 'MiniBike'
56 - 'MiniBrowse'
57 - 'MiniBus'
58 - 'MiniFast'
59 - 'MiniJuke'
60 - 'MiniUpdate'
61 - 'MuddyWater'
62 - 'NukeSped'
63 - 'OilRig'
64 - 'Panda'
65 - 'Sandstorm'
66 - 'SandWorm'
67 - 'Seamonkey'
68 - 'Sleet'
69 - 'SlugResin'
70 - 'SnailResin'
71 - 'Snake'
72 - 'Tempest'
73 - 'Tsunami'
74 - 'Turla'
75 - 'Typhoon'
76 - 'UAC_'
77 - 'UAC-'
78 - 'UNC_'
79 - 'UNC-'
80 - 'VinoSiren'
81 - 'Winnti'
82 condition: selection
83falsepositives:
84 - Unlikely
85level: critical
References
Related rules
- Antivirus - Exploitation Framework Signature
- Antivirus - Remote Access Tools Signature
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Audit CVE Event
- Axios NPM Compromise Indicators - Linux