Rule to detect ProjectSauron encrypted LSA samples

Hunt Hypothesis

Adversaries may use ProjectSauron to encrypt Local Security Authority (LSA) samples as part of persistence or privilege escalation, leveraging encrypted payloads to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may remain undetected by standard monitoring tools.

YARA Rule

rule apt_ProjectSauron_encrypted_LSA  
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect ProjectSauron encrypted LSA samples"
        version = "1.0"    
        reference = "https://securelist.com/blog/"

    strings:
        $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii
        $a2 = "\\Device\\NdisRaw_" fullword ascii
        $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide
        $a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" fullword wide
        $a5 = "Missing function %S::#%d" fullword wide
        $a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15}
        $a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF}

    condition:
        uint16(0) == 0x5A4D and (any of ($a*) or ( pe.exports("InitializeChangeNotify") and pe.exports("PasswordChangeNotify") and math.entropy(0x400, filesize) >= 7.5 )) and filesize < 1000000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://securelist.com/blog/
• Source Rule

False Positive Guidance

• Scenario: Scheduled system cleanup using sfc /scannow or DISM
  Filter/Exclusion: Check for ProcessName containing sfc.exe or dism.exe and filter out processes initiated by the System or TrustedInstaller accounts.

• Scenario: Admin task to encrypt user passwords using net user with encryption flags
  Filter/Exclusion: Filter events where CommandLine includes net user and the target user is a known admin account or part of the local administrators group.

• Scenario: Regular execution of secedit /configure for security policy updates
  Filter/Exclusion: Exclude processes where ProcessName is secedit.exe and the command line includes /configure with a known configuration file path.

• Scenario: Automated backup job using vssadmin or wbadmin that modifies LSA settings
  Filter/Exclusion: Filter events where ProcessName is vssadmin.exe or wbadmin.exe and the command line includes backup or snapshot-related arguments.

• Scenario: Use of certutil to manage or import certificates, which may interact with LSA components
  Filter/Exclusion: Exclude processes where ProcessName is certutil.exe and the command line includes certificate import/export operations.