Apolmy Privilege Escalation Trojan used in APT Terracotta

Hunt Hypothesis

Apolmy Privilege Escalation Trojan is being used by APT Terracotta to gain elevated privileges within compromised systems, indicating a sophisticated adversary seeking to maintain persistence and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause widespread damage.

YARA Rule

rule Apolmy_Privesc_Trojan 
{

    meta:
        description = "Apolmy Privilege Escalation Trojan used in APT Terracotta"
        author = "Florian Roth"
        reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
        date = "2015-08-04"
        score = 80
        hash = "d7bd289e6cee228eb46a1be1fcdc3a2bd5251bc1eafb59f8111756777d8f373d"

    strings:
        $s1 = "[%d] Failed, %08X" fullword ascii
        $s2 = "[%d] Offset can not fetched." fullword ascii
        $s3 = "PowerShadow2011" fullword wide

    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled job that elevates privileges temporarily to perform a system update.
  Filter/Exclusion: Check for EventID 41 with ProcessName containing powershell.exe and CommandLine indicating a known administrative task (e.g., Update-PSModule or Install-WindowsUpdate).

• Scenario: A database administrator is using SQL Server Management Studio (SSMS) to execute a privileged query to grant temporary access to a user for troubleshooting.
  Filter/Exclusion: Filter events where ProcessName is ssms.exe and CommandLine includes --grant-temp-access or similar known administrative commands.

• Scenario: A DevOps engineer is deploying a Docker container with elevated privileges using docker run --privileged to install a service.
  Filter/Exclusion: Exclude events where ProcessName is docker.exe and CommandLine contains --privileged or --cap-add=SYS_ADMIN.

• Scenario: A security analyst is performing a Windows Defender ATP scan that temporarily elevates privileges to scan for malware.
  Filter/Exclusion: Filter events where ProcessName is MsMpEng.exe or WindowsDefenderATP.exe and CommandLine includes Scan or FullScan.

• Scenario: A system administrator is using Task Scheduler to run a script that requires elevation to configure a system-wide policy.
  Filter/Exclusion: Exclude events where ProcessName is schtasks.exe and CommandLine includes run or execute with a known legitimate script path (e.g., C:\Windows\System32\groupPolicy.bat).