Malware from the Project Sauron APT is being detected through custom YARA rules targeting specific malicious file signatures. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential APT activity early.
YARA Rule
rule APT_Project_Sauron_Custom_M2
{
meta:
description = "Detects malware from Project Sauron APT"
author = "FLorian Roth"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8"
strings:
$s2 = "\\*\\3vpn" fullword ascii
$op0 = { 55 8b ec 83 ec 0c 53 56 33 f6 39 75 08 57 89 75 } /* Opcode */
$op1 = { 59 59 c3 8b 65 e8 ff 75 88 ff 15 50 20 40 00 ff } /* Opcode */
$op2 = { 8b 4f 06 85 c9 74 14 83 f9 12 0f 82 a7 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and ( all of ($s*) ) and all of ($op*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
Filter/Exclusion: Check for the presence of powershell.exe in the process tree and filter out processes initiated by user accounts with administrative privileges and associated with known update tools (e.g., Windows Update, Microsoft Endpoint Manager).
Scenario: A scheduled backup job is running and temporarily creates files with suspicious names in the temporary directory.
Filter/Exclusion: Exclude files created in the %TEMP% directory or system temporary directories, and filter out processes associated with backup tools like Veeam, Commvault, or Veritas NetBackup.
Scenario: A system integrity check (e.g., using Sysinternals Process Explorer or Microsoft Process Monitor) is being performed, and the tool is generating temporary files with names similar to malicious payloads.
Filter/Exclusion: Exclude processes running under the Sysinternals or Microsoft toolset, and filter out files created by tools like Process Explorer, Procmon, or Autoruns.
Scenario: A third-party log management tool (e.g., Splunk, ELK Stack, or Graylog) is writing logs to a directory that matches the YARA rule’s file signature.
Filter/Exclusion: Exclude files in log directories (e.g., C:\ProgramData\splunk\logs, /var/log/) and filter out processes associated with log management tools.
Scenario: A Windows service (e.g., Windows Task Scheduler or Service Control Manager) is creating temporary files during normal operation, which may trigger the rule.
Filter/Exclusion: Exclude files created by services running under the Local System account or associated with Task Scheduler (`scht