The detection of arping module strings may indicate the presence of malicious network reconnaissance activity associated with the Project Sauron report. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial network mapping and early-stage compromise attempts.
YARA Rule
rule APT_Project_Sauron_arping_module
{
meta:
description = "Detects strings from arping module - Project Sauron report by Kaspersky"
author = "Florian Roth"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
strings:
$s1 = "Resolve hosts that answer"
$s2 = "Print only replying Ips"
$s3 = "Do not display MAC addresses"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System update or patching tool using arping to verify network connectivity before applying updates
Filter/Exclusion: process.name == "update-manager" || process.name == "patching-tool"
Scenario: Network discovery job using arping to map internal IP addresses during asset inventory
Filter/Exclusion: process.name == "network-discovery-job" || process.name == "inventory-tool"
Scenario: Administrative task to test network reachability using arping as part of a connectivity check
Filter/Exclusion: user.name == "admin" && process.name == "arping"
Scenario: Scheduled job to validate DNS resolution by pinging IP addresses via arping
Filter/Exclusion: process.name == "dns-validation-job" || process.name == "network-checker"
Scenario: Security tool or SIEM integration using arping to verify host reachability during incident response
Filter/Exclusion: process.name == "siem-tool" || process.name == "incident-response-tool"