Detects malware from Project Sauron APT

Hunt Hypothesis

Malicious files associated with the Project Sauron APT may indicate initial compromise or data exfiltration attempts by an advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term adversary presence within the network.

YARA Rule

rule APT_Project_Sauron_Custom_M3 
{

    meta:
        description = "Detects malware from Project Sauron APT"
        author = "FLorian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-09"
        hash1 = "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec"
   
    strings:
        $s1 = "ExampleProject.dll" fullword ascii
        $op0 = { 8b 4f 06 85 c9 74 14 83 f9 13 0f 82 ba } /* Opcode */
        $op1 = { ff 15 34 20 00 10 85 c0 59 a3 60 30 00 10 75 04 } /* Opcode */
        $op2 = { 55 8b ec ff 4d 0c 75 09 ff 75 08 ff 15 00 20 00 } /* Opcode */
 
    condition:
        ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) and all of ($op*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update via Windows Update
  Description: A file associated with Project Sauron may be present in a Windows Update package or in the Windows Update log files.
  Filter/Exclusion: Check the file path against known Windows Update directories (e.g., C:\Windows\SoftwareDistribution, C:\Windows\Temp) and exclude files with WindowsUpdate or Update in their name.

• Scenario: Scheduled backup job using Veeam or Acronis
  Description: Backup tools like Veeam or Acronis may generate files with names or hashes similar to those associated with Project Sauron during backup operations.
  Filter/Exclusion: Exclude files created within the backup job directory (e.g., C:\Backup\) or filter by process name (veeam.exe, acronis.exe).

• Scenario: Admin task using PowerShell for log cleanup
  Description: A PowerShell script run by an admin to clean up temporary files or logs may generate files with hashes or names matching Project Sauron indicators.
  Filter/Exclusion: Exclude files created by processes with powershell.exe and check for admin privileges using the logon_type or user field.

• Scenario: Legitimate software installation using MSI or EXE installers
  Description: Some legitimate software installers (e.g., from Microsoft, Adobe, or other vendors) may have files that match the Project Sauron signature due to shared code or hash collisions.
  Filter/Exclusion: Exclude files with known vendor signatures (e.g., Microsoft, Adobe, Oracle) or check the file’s digital signature.

• Scenario: Malware analysis in a sandbox environment
  Description: During malware analysis, files associated with Project Sauron may be used as test samples, triggering the rule