apt hellsing proxytool

Hunt Hypothesis

The hypothesis is that the detection identifies potential command and control activity associated with the Hellsing APT group, leveraging proxytool for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and disrupt adversary operations before they escalate.

YARA Rule

rule apt_hellsing_proxytool
{
    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
        Description = "detection for Hellsing proxy testing tool"
        Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" 

    strings: 
        $mz="MZ"
        $a1="PROXY_INFO: automatic proxy url => %s " 
        $a2="PROXY_INFO: connection type => %d " 
        $a3="PROXY_INFO: proxy server => %s " 
        $a4="PROXY_INFO: bypass list => %s " 
        $a5="InternetQueryOption failed with GetLastError() %d" 
        $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase

    condition:
        ($mz at 0) and (2 of ($a*)) and filesize < 300000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
  Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine containing "Update-AppxPackage" or "Install-Module".

• Scenario: A scheduled job runs Chef or Ansible to configure servers, which may include copying files that match the YARA signature.
  Filter/Exclusion: Filter by ProcessName == "chef-client" or "ansible-playbook" and check for known configuration management tool artifacts.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate script that uses CertUtil to manage certificates, which may resemble malicious behavior.
  Filter/Exclusion: Filter by ProcessName == "certutil.exe" and check for known certificate management commands like "-addstore" or " -view".

• Scenario: An admin is using WinRM to remotely manage a server, and the command line includes a file path that matches the YARA rule due to a misconfigured path.
  Filter/Exclusion: Filter by ProcessName == "winrm.exe" and check for remote management command patterns like "Invoke-Command" or "Enter-PSSession".

• Scenario: A log shipping or backup job uses RoboCopy to transfer files, and the destination path includes a string that matches the YARA rule.
  Filter/Exclusion: Filter by ProcessName == "robocopy.exe" and check for known backup or log transfer command-line arguments like "/Z" or "/M" for log files.