heroui logo

Antivirus - Remote Access Tools Signature

Sigma Rules

View Source
Summary
This detection rule flags antivirus alerts that report the presence (or detection) of a remote access tool (RAT). It relies on antivirus signatures that contain known RAT names (e.g., AgentTesla, Remcos, NanoCore, NJRat, Netwire, DarkComet, and many others) and triggers on a match. The rule is labeled as critical and emphasizes that an AV-blocked malware instance should still be investigated to determine how it arrived in the environment. While the signature match can be a strong signal, it may occasionally reflect legitimate remote-support tools, so context is needed. Analysts should correlate with additional telemetry (network traffic, process events, file activity) and verify whether any outbound C2 connections or persistence mechanisms were involved. The intent is to detect potential attacker activity, not merely quash an AV alert, and to drive containment and root-cause analysis. MITRE-aligned references in the rule point to remote-access tools and command-and-control behavior.
Categories
  • Endpoint
  • Windows
Data Sources
  • Application Log
  • Process
Created: 2026-06-15