Skip to content
Threat Feed
critical advisory

Detection of Advanced Persistent Threat (APT) Malware Signatures in Antivirus Logs

This brief details a detection rule for critical antivirus alerts that report Advanced Persistent Threat (APT) malware signatures, enabling detection engineers to identify and investigate sophisticated threats that have reached endpoints.

This brief describes a Sigma rule designed to detect the presence of Advanced Persistent Threat (APT) malware on endpoints by analyzing antivirus (AV) logs. The rule leverages common naming conventions and specific group names used by AV vendors to classify sophisticated threats, such as 'APT', 'UNC', 'UAC', and known actor aliases like 'Lazarus' or 'SandWorm'. Its primary goal is to alert security operations centers (SOCs) to critical AV detections that, despite being blocked by AV, indicate that an APT-related threat has successfully reached an endpoint. This necessitates immediate investigation into the initial access vector and potential persistence to prevent broader compromise.

Attack Chain

This brief focuses on the detection of APT malware signatures after initial delivery, rather than describing a specific attack chain. The presence of these signatures in antivirus logs indicates that an attack has progressed beyond initial access to the point where malicious code has landed on an endpoint, prompting the need for further investigation into the precursor activities (e.g., phishing, exploit chains) that led to its presence.

Impact

The successful delivery of APT malware, even if initially blocked by antivirus, poses a severe risk. These threats are typically associated with nation-state actors or highly sophisticated criminal organizations aiming for objectives such as long-term espionage, significant data exfiltration, intellectual property theft, or disruptive attacks on critical infrastructure. The mere presence of such malware indicates a potential compromise attempt that could bypass other defenses, leading to profound financial, reputational, and operational damage across various sectors.

Recommendation

  • Ensure all endpoint security solutions are configured to log antivirus detections and alerts to a centralized SIEM or logging platform, as required by the antivirus logsource category.
  • Deploy the "Antivirus - APT Malware Signature" Sigma rule to your SIEM, ensuring it ingests antivirus category logs.
  • Prioritize investigation of alerts generated by the "Antivirus - APT Malware Signature" rule, even for "blocked" events, to understand the delivery mechanism and assess potential broader compromise.
  • Review and update antivirus signatures regularly to ensure coverage against emerging APT threats, ensuring the rule remains effective.

Detection coverage 1

Antivirus - APT Malware Signature

critical

Detects highly relevant Antivirus alerts reporting APT malware by matching common signature naming conventions and specific APT group aliases.

sigma tactics: command_and_control, execution techniques: T1203 sources: antivirus

Detection queries are available on the platform. Get full rules →