Skip to content
Threat Feed
critical advisory

Detection of Malicious Remote Access Tools by Antivirus

This brief details a Sigma rule designed to detect Antivirus alerts flagging various malicious Remote Access Tools (RATs) such as AgentTesla, AsyncRAT, and NanoCore, highlighting the critical need for investigation into the initial infection vector even when the AV blocks the threat.

This threat brief focuses on the detection of numerous malicious Remote Access Tools (RATs) via Antivirus (AV) solutions, as identified by a SigmaHQ rule published on 2026-07-01. The rule targets a wide array of commonly abused RATs, including well-known malware families like AgentTesla, AsyncRAT, NanoCore, Quasar, and Remcos, among others. The presence of these tools on an endpoint, even if immediately blocked by AV, is a critical security event that demands immediate and thorough investigation. Such an alert signifies that an attacker has likely achieved initial access and attempted to establish persistent remote control, making it imperative to understand the delivery mechanism and scope of compromise beyond the simple AV remediation. This detection is crucial for identifying early stages of compromise and preventing further malicious activity.

Attack Chain

(The provided source focuses on a detection signature for post-compromise activity, rather than detailing a specific attack chain. Therefore, a generic attack chain cannot be accurately described without speculative information.)

Impact

If Remote Access Tools successfully bypass antivirus defenses and become fully operational, they grant attackers comprehensive control over compromised systems. This can lead to severe consequences including, but not limited to, extensive data exfiltration, installation of additional malware such as ransomware or credential stealers, persistent unauthorized access, lateral movement across the network, and complete disruption of organizational operations. Even when an antivirus successfully blocks a RAT, the initial alert indicates a successful delivery attempt that must be investigated to determine the initial access vector and prevent future attacks. The impact of such successful compromise can range from significant financial losses due to data breaches or ransomware, to reputational damage and regulatory penalties.

Recommendation

  • Deploy the Antivirus - Remote Access Tools Signature Sigma rule to your SIEM/EDR to ensure immediate visibility into AV alerts flagging known malicious RATs.
  • Investigate all alerts generated by the Antivirus - Remote Access Tools Signature rule. Focus on identifying the initial access vector that led to the RAT's presence on the system.
  • Review network logs for suspicious outbound connections from systems where Signature events related to tools like AgentTesla or AsyncRAT were detected.
  • Ensure endpoint protection solutions are up-to-date and configured to report antivirus category events to your centralized logging platform.

Detection coverage 1

Antivirus - Remote Access Tools Signature

critical

Detects highly relevant Antivirus alerts reporting the presence of various known malicious Remote Access Tools (RATs) like AgentTesla, AsyncRAT, and NanoCore. Even if blocked, such alerts indicate an attempted compromise that requires investigation.

sigma tactics: command_and_control, execution techniques: T1203 sources: antivirus, windows

Detection queries are available on the platform. Get full rules →