Antivirus - Remote Access Tools Signature
Detects a highly relevant Antivirus alert that reports a remote access tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Sigma rule (View on GitHub)
1title: Antivirus - Remote Access Tools Signature
2id: 97233998-3838-4581-88c6-f1d19d3993fb
3status: experimental
4description: |
5 Detects a highly relevant Antivirus alert that reports a remote access tool.
6 This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
7references:
8 - https://www.nextron-systems.com/?s=antivirus
9 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
10author: Arnim Rupp (Nextron Systems)
11date: 2026-06-15
12tags:
13 - attack.execution
14 - attack.t1203
15 - attack.command-and-control
16 - attack.t1219.002
17logsource:
18 category: antivirus
19detection:
20 selection:
21 Signature|contains:
22 - 'AgentB'
23 - 'AgentTesla'
24 - 'AMRat'
25 - 'Ammyy'
26 - 'AsyncRAT'
27 - 'Bandook'
28 - 'Bitrat'
29 - 'Bladabindi'
30 - 'Connectwise'
31 - 'CyberGate'
32 - 'DarkComet'
33 - 'DCrat'
34 - 'Delf'
35 - 'DokStorm'
36 - 'Egairtigado'
37 - 'Gh0st'
38 - 'Gorat'
39 - 'GodRat'
40 - 'Jalapeno'
41 - 'LummaC2'
42 - 'Minirat'
43 - 'Netwire'
44 - 'NanoCore'
45 - 'NJRat'
46 - 'Paralax'
47 - 'PlugX'
48 - 'Pulsar'
49 - 'Quasar'
50 - 'Remcos'
51 - 'Ravartar'
52 - 'RemoteAdmin'
53 - 'RemoteTool'
54 - 'revengeRAT'
55 - 'rokRAT'
56 - 'salatstealer'
57 - 'Salgorea'
58 - 'SmokedHam'
59 - 'TigerRat'
60 - 'Tzeebot'
61 - 'WarZone'
62 - 'VenomRAT'
63 - 'Vidar'
64 - 'Wirenet'
65 - 'XWorm'
66 - 'Zapchast'
67 - 'Zegost'
68 condition: selection
69falsepositives:
70 - Unlikely
71level: critical
References
Related rules
- Antivirus - APT Malware Signature
- Antivirus - Exploitation Framework Signature
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Audit CVE Event
- Axios NPM Compromise Indicators - Linux