Detects strings from basex module - Project Sauron report by Kaspersky

Hunt Hypothesis

The detection of strings from the basex module may indicate the presence of malicious activity associated with the Project Sauron report, potentially linked to advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and mitigate potential lateral movement or data exfiltration.

YARA Rule

rule APT_Project_Sauron_basex_module 
{

    meta:
        description = "Detects strings from basex module - Project Sauron report by Kaspersky"
        author = "Florian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-08"

    strings:
        $x1 = "64, 64url, 32, 32url or 16."
        $s2 = "Force decoding when input is invalid/corrupt"
        $s3 = "This cruft"

    condition:
        $x1 or 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Basex module used by a legitimate XML processing tool like XMLSpy or Altova for data transformation tasks.
  Filter/Exclusion: Check for process name containing xmlspy or altova and exclude processes running under the user account of the XML tool’s administrator.

• Scenario: Scheduled job running Apache NiFi or Talend that uses Basex for data integration, which may include strings from the Project Sauron report.
  Filter/Exclusion: Filter by process name containing nifi or talend, and exclude tasks associated with known data integration workflows.

• Scenario: System administrators using PowerShell or cmd.exe to run scripts that interact with Basex for configuration or maintenance tasks.
  Filter/Exclusion: Exclude processes with command lines containing powershell or cmd.exe and filter by user accounts with administrative privileges for system management.

• Scenario: Logstash or ELK stack processing logs that include the Basex module name as part of log metadata or field names.
  Filter/Exclusion: Exclude events where the source is logstash or elasticsearch, and filter out fields that are known to be part of log metadata.

• Scenario: Ansible or Chef automation scripts that reference Basex during configuration management tasks, such as installing or configuring XML tools.
  Filter/Exclusion: Exclude processes with command lines containing ansible or chef, and filter by user accounts with system administration privileges.