The detection of strings from the dext module associated with Project Sauron indicates potential adversarial activity involving malware distribution or command-and-control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage threats and prevent lateral movement or data exfiltration.
YARA Rule
rule APT_Project_Sauron_dext_module
{
meta:
description = "Detects strings from dext module - Project Sauron report by Kaspersky"
author = "Florian Roth"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
strings:
$x1 = "Assemble rows of DNS names back to a single string of data"
$x2 = "removes checks of DNS names and lengths (during split)"
$x3 = "Randomize data lengths (length/2 to length)"
$x4 = "This cruft"
condition:
2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate use of dext module in Python scripts for data extraction
Filter/Exclusion: process.name == "python" and process.args contains "dext" and process.args contains "data_extraction_script.py"
Scenario: Scheduled job running a script that includes the dext module for log analysis
Filter/Exclusion: process.name == "python" and process.args contains "log_analysis_script.py" and process.user == "log_analysis"
Scenario: Admin task using a third-party tool that includes dext module for parsing configuration files
Filter/Exclusion: process.name == "config_parser_tool" and process.args contains "dext" and process.args contains "config_parse_job"
Scenario: Development environment using dext for testing purposes in a sandboxed VM
Filter/Exclusion: process.name == "python" and process.args contains "dext" and process.parent.name == "VirtualBox" or process.parent.name == "vmrun"
Scenario: Use of dext in a CI/CD pipeline for automated testing of data formats
Filter/Exclusion: process.name == "python" and process.args contains "dext" and process.args contains "ci_pipeline_test.py" and process.user == "ci_user"