Detects malware from Project Sauron APT

Hunt Hypothesis

Adversaries using Project Sauron APT may deploy custom malware that leverages Azure environment privileges to establish persistence and exfiltrate data. SOC teams should proactively hunt for this behavior to identify and mitigate advanced persistent threats within their Azure infrastructure.

YARA Rule

rule APT_Project_Sauron_Custom_M6 
{

    meta:
        description = "Detects malware from Project Sauron APT"
        author = "FLorian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-09"
        hash1 = "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8"

    strings:
        $s1 = "rseceng.dll" fullword wide
        $s2 = "Remote Security Engine" fullword wide
        $op0 = { 8b 0d d5 1d 00 00 85 c9 0f 8e a2 } /* Opcode */
        $op1 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */
        $op2 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */
   
    condition:
        ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses curl to download a file from a known internal server.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known internal server IP in the URL.

• Scenario: Admin Performing Software Update via PowerShell
  Description: An administrator uses PowerShell to download and install a software update from a trusted internal repository.
  Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing -File and a path to a known internal update script.

• Scenario: Log Collection Agent Pulling Data from Central Server
  Description: A log collection agent (e.g., Splunk, ELK) pulls logs from a central server using wget or curl.
  Filter/Exclusion: Exclude processes with the executable name splunkforwarder or logstash-agent and URLs matching internal log servers.

• Scenario: Database Backup Job Using SQLCMD
  Description: A database backup job runs using sqlcmd to export data to a remote backup server.
  Filter/Exclusion: Exclude processes initiated by sqlcmd.exe with a destination IP matching the internal backup server.

• Scenario: User-Initiated File Download for Research Purposes
  Description: A user downloads a file from a known internal research server for analysis.
  Filter/Exclusion: Exclude processes initiated by explorer.exe or chrome.exe with a URL matching the internal research server’s domain.