Encrypted ProjectSauron SSPI samples may indicate the presence of a sophisticated adversary leveraging encryption to evade detection and persist within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced threats that could bypass traditional detection mechanisms.
YARA Rule
rule apt_ProjectSauron_encrypted_SSPI
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect encrypted ProjectSauron SSPI samples"
version = "1.0"
reference = "https://securelist.com/blog/"
condition:
uint16(0) == 0x5A4D and filesize < 1000000 and pe.exports("InitSecurityInterfaceA") and pe.characteristics & pe.DLL and (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and math.entropy(0x400, filesize) >= 7.5 }
rule apt_ProjectSauron_MyTrampoline
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron MyTrampoline module"
version = "1.0"
reference = "https://securelist.com/blog/"
strings:
$a1 = ":\\System Volume Information\\{" wide
$a2 = "\\\\.\\PhysicalDrive%d" wide
$a3 = "DMWndClassX%d"
$b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide
$b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide
condition:
uint16(0) == 0x5A4D and filesize < 5000000 and (all of ($a*) or any of ($b*)) }
rule apt_ProjectSauron_encrypted_container
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron samples encrypted container"
version = "1.0"
reference = "https://securelist.com/blog/"
strings:
$vfs_header = {02 AA 02 C1 02 0?}
$salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55}
condition:
uint16(0) == 0x5A4D and ((@vfs_header < 0x4000) or $salt) and math.entropy(0x400, filesize) >= 6.5 and (filesize > 0x400) and filesize < 10000000 }
rule apt_ProjectSauron_encryption
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron string encryption"
version = "1.0"
reference = "https://securelist.com/blog/"
strings:
$a1 = {81??02AA02C175??8B??0685}
$a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF}
$a3 = {803E225775??807E019F75??807E02BE75??807E0309}
condition:
filesize < 5000000 and any of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System backup job using ProjectSauron for encryption
Description: A scheduled backup job uses ProjectSauron to encrypt sensitive data before archiving.
Filter/Exclusion: process.parent_process_name == "backup_service.exe" or process.command_line contains "backup"
Scenario: Admin task to encrypt user credentials using ProjectSauron
Description: An administrator uses ProjectSauron to encrypt user credentials for secure storage.
Filter/Exclusion: process.user == "Administrator" and process.command_line contains "encrypt_credentials"
Scenario: Development environment using ProjectSauron for secure communication
Description: A development team uses ProjectSauron to encrypt internal API communications between services.
Filter/Exclusion: process.process_name == "dev_service.exe" or process.command_line contains "dev_env"
Scenario: Scheduled encryption of logs using ProjectSauron
Description: A log management system uses ProjectSauron to encrypt log files before sending them to a secure storage.
Filter/Exclusion: process.command_line contains "log_encrypt" or process.parent_process_name == "log_manager.exe"
Scenario: ProjectSauron used in a legitimate security tool for encryption
Description: A security tool or SIEM system uses ProjectSauron to encrypt data in transit or at rest.
Filter/Exclusion: process.process_name == "security_tool.exe" or process.command_line contains "secure_transmit"