Detects scripts (mostly LUA) from Project Sauron report by Kaspersky

Hunt Hypothesis

The detection identifies potential LUA scripts associated with the Project Sauron malware family, which may indicate adversarial activity leveraging script-based payloads for persistence or execution. SOC teams should proactively hunt for these scripts in Azure Sentinel to identify early-stage compromises and mitigate lateral movement risks.

YARA Rule

rule APT_Project_Sauron_Scripts 
{

    meta:
        description = "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky"
        author = "Florian Roth"
        reference = "https://goo.gl/eFoP4A"
        date = "2016-08-08"

    strings:
        $x1 = "local t = w.exec2str(\"regedit "
        $x2 = "local r = w.exec2str(\"cat"
        $x3 = "ap*.txt link*.txt node*.tun VirtualEncryptedNetwork.licence"
        $x4 = "move O FakeVirtualEncryptedNetwork.dll"
        $x5 = "sinfo | basex b 32url | dext l 30"
        $x6 = "w.exec2str(execStr)"
        $x7 = "netnfo irc | basex b 32url"
        $x8 = "w.exec(\"wfw status\")"
        $x9 = "exec(\"samdump\")"
        $x10 = "cat VirtualEncryptedNetwork.ini|grep"
        $x11 = "if string.lower(k) == \"securityproviders\" then"
        $x12 = "exec2str(\"plist b | grep netsvcs\")"
        $x13 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*"
        $x14 = "SAURON_KBLOG_KEY ="

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

References

• https://goo.gl/eFoP4A
• Source Rule

False Positive Guidance

• Scenario: Scheduled LUA script execution for system maintenance
  Description: A legitimate scheduled task runs a LUA script as part of system health checks or configuration management.
  Filter/Exclusion: Exclude processes associated with Task Scheduler or Windows Task Scheduler with CommandLine containing schtasks.exe or scheduling keywords.

• Scenario: LUA script used in DevOps pipeline automation
  Description: A LUA script is executed by a CI/CD tool like Jenkins or GitLab CI to automate testing or deployment.
  Filter/Exclusion: Exclude processes with CommandLine containing jenkins.exe, gitlab-runner, or ci in the command line.

• Scenario: LUA-based configuration management tool (e.g., LuaRocks)
  Description: A system administrator uses a LUA-based tool like LuaRocks to manage package repositories or configuration files.
  Filter/Exclusion: Exclude processes with CommandLine containing luarocks or lua used in package management contexts.

• Scenario: LUA script for network monitoring or logging
  Description: A LUA script is used by a network monitoring tool (e.g., Cacti, Zabbix) to collect and log system metrics.
  Filter/Exclusion: Exclude processes with CommandLine containing cacti, zabbix_agentd, or network monitoring keywords.

• Scenario: LUA script for custom application logic in enterprise software
  Description: A LUA script is part of a custom application or middleware (e.g., in a game server or custom business application) that runs on enterprise servers.
  Filter/Exclusion: Exclude processes with CommandLine containing custom_app, game_server, or middleware in the command line.