APT Hikit msrv

Hunt Hypothesis

The hypothesis is that the detection identifies potential command and control activity associated with the APT Hikit group, leveraging a custom msrv protocol for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity that may evade traditional detection methods.

YARA Rule

rule APT_Hikit_msrv
{

meta:
    author = "ThreatConnect Intelligence Research Team"

strings:
    $m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}

condition:
    any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /run with a known maintenance script.

• Scenario: Microsoft Remote Desktop Services (RDP) Session Management
  Description: A legitimate process related to managing RDP sessions, such as mstsc.exe or tscon.exe, which may exhibit similar behavior to the malicious msrv process.
  Filter/Exclusion: Filter by ProcessName containing mstsc.exe or tscon.exe, or check for ParentProcessName related to explorer.exe or services.exe.

• Scenario: Windows Update or Patching Job
  Description: A legitimate Windows Update or patching job initiated by wusa.exe or dism.exe, which may temporarily spawn processes with similar names.
  Filter/Exclusion: Check for ProcessName containing wusa.exe or dism.exe, or look for CommandLine containing --update or --patch.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool, such as Windows Defender or Malwarebytes, may spawn processes with similar names during a scan.
  Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe, mbam.exe, or avgnt.exe, or check for CommandLine containing scan or fullscan.

• Scenario: PowerShell Script Execution for Admin Tasks
  Description: A legitimate PowerShell script executed by an administrator for tasks like user management, group policy updates,