Detects strings from kblogi module - Project Sauron report by Kaspersky

Hunt Hypothesis

The hypothesis is that the presence of strings from the kblogi module may indicate the execution of malicious code associated with the Project Sauron report, potentially used for reconnaissance or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary activity and prevent further compromise.

YARA Rule

rule APT_Project_Sauron_kblogi_module 
{

    meta:
        description = "Detects strings from kblogi module - Project Sauron report by Kaspersky"
        author = "Florian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-08"

    strings:
        $x1 = "Inject using process name or pid. Default"
        $s2 = "Convert mode: Read log from file and convert to text"
        $s3 = "Maximum running time in seconds"

    condition:
        $x1 or 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Scheduled system update or patch deployment using Ansible or Chef
  Filter/Exclusion: Check for known update scripts or processes associated with Ansible or Chef, such as ansible-playbook or chef-client in the process name or command line.

• Scenario: Log analysis or forensic investigation using ELK Stack (Elasticsearch, Logstash, Kibana)
  Filter/Exclusion: Filter events where the process name or command line includes logstash, elasticsearch, or kibana, or where the user is a system admin performing log analysis.

• Scenario: Security tool or SIEM configuration using Splunk or QRadar
  Filter/Exclusion: Exclude processes related to Splunk (e.g., splunkd) or QRadar (e.g., qradar) and filter for known SIEM-related activities or admin tasks.

• Scenario: System maintenance task using PowerShell or Task Scheduler
  Filter/Exclusion: Filter for PowerShell scripts (powershell.exe) or Task Scheduler jobs with known maintenance tasks, such as disk cleanup or registry checks.

• Scenario: Internal reporting or data aggregation using Tableau or Power BI
  Filter/Exclusion: Exclude processes related to Tableau (tabcmd) or Power BI (bi) and filter for known reporting or data aggregation activities.