Disclosed are a detection method for an APT attack, a terminal device, a server and a system, which relate to the technical field of information security and are primarily used for realizing rapid and precise detection of APT attacks. The primary technical solution of the present invention comprises: a terminal device recording attribute information about a pre-set file in a local area network, wherein the attribute information about the pre-set file comprises identification information, time information, source information, and transfer target information; determining whether the pre-set file is a grey file according to the attribute information, wherein the grey file neither exists in a white list of the pre-set file nor a black list in the pre-set file; if it is determined that the pre-set file is a grey file, then determining whether the grey file has triggered a pre-set abnormal behaviour rule; and if it is determined that the grey file has triggered the pre-set abnormal behaviour rule, sending to a server abnormality alarm information about the grey file having triggered the pre-set abnormal behaviour rule, wherein the abnormality alarm information contains identification information about the terminal device. The present invention is primarily applied in the process of detecting an APT attack.
展开▼
