apt hellsing xkat

Hunt Hypothesis

The hypothesis is that the detected behavior indicates an adversary leveraging a custom YARA rule to identify potential indicators of an APT group’s activity, possibly related to the Hellsing group’s tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversarial activity and identify potential compromise vectors associated with known APT groups.

YARA Rule

rule apt_hellsing_xkat 
{
    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
        Description = "detection for Hellsing xKat tool"
        Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"

    strings:
        $mz="MZ"
        $a1="\\Dbgv.sys"
        $a2="XKAT_BIN"
        $a3="release sys file error."
        $a4="driver_load error. "
        $a5="driver_create error."
        $a6="delete file:%s error."
        $a7="delete file:%s ok."
        $a8="kill pid:%d error."
        $a9="kill pid:%d ok."
        $a10="-pid-delete"
        $a11="kill and delete pid:%d error."
        $a12="kill and delete pid:%d ok."

    condition:
        ($mz at 0) and (6 of ($a*)) and filesize < 300000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 13 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that matches the YARA signature due to similar file names or content.
  Filter/Exclusion: Exclude files created by the schtasks.exe scheduler or those with a .bat or .ps1 extension that match known maintenance scripts.

• Scenario: Admin Performing File Integrity Check
  Description: An administrator uses PowerShell or Windows Defender to scan for malicious files, which may trigger the rule due to false positives.
  Filter/Exclusion: Exclude files executed via PowerShell.exe or mshta.exe with known administrative tools like PowerShell or Windows Defender.

• Scenario: Software Update Deployment
  Description: A legitimate software update (e.g., from Microsoft or third-party vendors) includes files that match the YARA signature due to shared code patterns.
  Filter/Exclusion: Exclude files signed by Microsoft or known vendors, or those located in update directories like C:\Windows\Temp or C:\Program Files\.

• Scenario: Log File Parsing or Analysis
  Description: A log file or script that parses system logs (e.g., using logparser.exe or PowerShell) may contain strings that match the YARA rule.
  Filter/Exclusion: Exclude files with the .log extension or those accessed by logparser.exe or PowerShell scripts running under the LocalSystem account.

• Scenario: Internal Security Tool or SIEM Integration
  Description: An internal security tool (e.g., Splunk, ELK Stack, or SIEM) may generate files or logs that inadvertently match the YARA signature.
  Filter/Exclusion: Exclude files with known SIEM or log management tool signatures, or those located in