Antivirus - Remote Access Tools Signature

Original Source: [Sigma source]
Title: Antivirus - Remote Access Tools Signature
Status: experimental
Description:Detects a highly relevant Antivirus alert that reports a remote access tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
References:
  -https://www.nextron-systems.com/?s=antivirus
  -https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
Author: Arnim Rupp (Nextron Systems)
Date: 2026-06-15
modified:None
Tags:
  • -'attack.execution'
  • -'attack.t1203'
  • -'attack.command-and-control'
  • -'attack.t1219.002'
Logsource:
  • category: antivirus
Detection:
  selection:
    Signature|contains:
      -'AgentB'
      -'AgentTesla'
      -'AMRat'
      -'Ammyy'
      -'AsyncRAT'
      -'Bandook'
      -'Bitrat'
      -'Bladabindi'
      -'Connectwise'
      -'CyberGate'
      -'DarkComet'
      -'DCrat'
      -'Delf'
      -'DokStorm'
      -'Egairtigado'
      -'Gh0st'
      -'Gorat'
      -'GodRat'
      -'Jalapeno'
      -'LummaC2'
      -'Minirat'
      -'Netwire'
      -'NanoCore'
      -'NJRat'
      -'Paralax'
      -'PlugX'
      -'Pulsar'
      -'Quasar'
      -'Remcos'
      -'Ravartar'
      -'RemoteAdmin'
      -'RemoteTool'
      -'revengeRAT'
      -'rokRAT'
      -'salatstealer'
      -'Salgorea'
      -'SmokedHam'
      -'TigerRat'
      -'Tzeebot'
      -'WarZone'
      -'VenomRAT'
      -'Vidar'
      -'Wirenet'
      -'XWorm'
      -'Zapchast'
      -'Zegost'

  condition:selection
Falsepositives:
  -Unlikely
Level: critical