heroui logo

Antivirus - APT Malware Signature

Sigma Rules

View Source
Summary
This Sigma rule flags antivirus alerts that indicate potential APT malware involvement. It matches when the antivirus event’s Signature field satisfies either of two criteria: (1) a regular expression for APT-like identifiers (APT\d, ATK\d, UNC\d, UAC\d) or (2) a contains check against a broad list of known APT families (e.g., Lazar, Winnti, Turla, DarkHotel, Sandworm, etc.). The rule is designed to surface alerts even when the AV blocks the malware, prompting investigators to determine how the intrusion arrived on the host. Labeled as critical, it supports rapid triage and triage-driven investigations, with the expectation that correlated analytics (network, process, and user activity) will follow to identify initial access and propagation vectors. The rule is tied to antivirus log sources and aligns with ATT&CK-style techniques around execution and command-and-control, as reflected by its tags. False positives are considered unlikely.
Categories
  • Endpoint
Data Sources
  • Application Log
  • Process
Created: 2026-06-15