The hypothesis is that the detection identifies potential malicious activity associated with the Project Sauron APT through custom YARA signatures, indicating possible adversary presence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data exfiltration or system compromise.
YARA Rule
rule APT_Project_Sauron_Custom_M7
{
meta:
description = "Detects malware from Project Sauron APT"
author = "FLorian Roth"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-09"
hash1 = "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd"
hash2 = "7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca"
strings:
$sx1 = "Default user" fullword wide
$sx2 = "Hincorrect header check" fullword ascii /* Typo */
$sa1 = "MSAOSSPC.dll" fullword ascii
$sa2 = "MSAOSSPC.DLL" fullword wide
$sa3 = "MSAOSSPC" fullword wide
$sa4 = "AOL Security Package" fullword wide
$sa5 = "AOL Security Package" fullword wide
$sa6 = "AOL Client for 32 bit platforms" fullword wide
$op0 = { 8b ce 5b e9 4b ff ff ff 55 8b ec 51 53 8b 5d 08 } /* Opcode */
$op1 = { e8 0a fe ff ff 8b 4d 14 89 46 04 89 41 04 8b 45 } /* Opcode */
$op2 = { e9 29 ff ff ff 83 7d fc 00 0f 84 cf 0a 00 00 8b } /* Opcode */
$op3 = { 83 f8 0c 0f 85 3a 01 00 00 44 2b 41 6c 41 8b c9 } /* Opcode */
$op4 = { 44 39 57 0c 0f 84 d6 0c 00 00 44 89 6f 18 45 89 } /* Opcode */
$op5 = { c1 ed 02 83 c6 fe e9 68 fe ff ff 44 39 57 08 75 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (( 3 of ($s*) and 3 of ($op*) ) or ( 1 of ($sx*) and 1 of ($sa*) ))
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe runs a script that matches the YARA rule due to similar string patterns.
Filter/Exclusion: Check for ProcessName == "schtasks.exe" and CommandLine contains "schtasks /create" or "schtasks /run".
Scenario: Admin Performing Disk Cleanup via PowerShell
Description: An administrator uses PowerShell to clean up temporary files, and the script contains strings that match the YARA rule.
Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine contains "Clear-Item", "Remove-Item", or "Get-ChildItem" with a known cleanup path.
Scenario: Legitimate Log Collection via LogParser
Description: The enterprise uses logparser.exe to collect and analyze logs, and the command-line arguments match the YARA rule.
Filter/Exclusion: Check for ProcessName == "logparser.exe" and CommandLine contains "logman", "eventlog", or "sql", indicating a legitimate log collection tool.
Scenario: Antivirus Scan Using Windows Defender
Description: Windows Defender performs a full system scan, and the scan process matches the YARA rule due to similar string patterns.
Filter/Exclusion: Check for ProcessName == "WindowsDefender.exe" or "MsMpEng.exe" and CommandLine contains "fullscan" or "scan".
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) deployment uses a script that contains strings matching the YARA rule.
Filter/Exclusion: Check for ProcessName == "gpupdate.exe" or "gpmc.msc" and `CommandLine contains ”