Rule to detect ProjectSauron pipe backdoors

Hunt Hypothesis

The hypothesis is that the detection of ProjectSauron pipe backdoors indicates the presence of a persistent, low-privilege lateral movement technique used by adversaries to maintain long-term access within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence mechanisms that may evade traditional detection methods.

YARA Rule

rule apt_ProjectSauron_pipe_backdoor  
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect ProjectSauron pipe backdoors"
        version = "1.0"    
        reference = "https://securelist.com/blog/"
   
    strings:
        $a1 = "CreateNamedPipeW" fullword ascii
        $a2 = "SetSecurityDescriptorDacl" fullword ascii
        $a3 = "GetOverlappedResult" fullword ascii
        $a4 = "TerminateThread" fullword ascii
        $a5 = "%s%s%X" fullword wide  

    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 100000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://securelist.com/blog/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler may execute a script that matches the YARA signature due to similar file naming or content.
  Filter/Exclusion: Check for schtasks.exe or Task Scheduler execution context, and exclude tasks with known maintenance scripts (e.g., Cleanup-SystemTemp.ps1).

• Scenario: PowerShell Script for Log Collection
  Description: A PowerShell script used for log collection or monitoring may contain pipe operations (|) that resemble the behavior of the ProjectSauron backdoor.
  Filter/Exclusion: Filter by powershell.exe with command-line arguments containing Get-EventLog, Get-Event, or Get-Log to identify legitimate log collection scripts.

• Scenario: Admin Task for Pipe Communication Between Services
  Description: A system administrator may use named pipes (e.g., NamedPipeClientStream) for communication between services, which could trigger the rule due to similar pipe usage.
  Filter/Exclusion: Exclude processes initiated by ntservice.exe or LocalSystem with known administrative tools (e.g., netsh, regsvr32, wbemtest).

• Scenario: Legacy Application Using Named Pipes
  Description: An older enterprise application (e.g., SQL Server, Oracle, or Exchange) may use named pipes for inter-process communication, which could be flagged by the YARA rule.
  Filter/Exclusion: Exclude processes associated with known enterprise applications (e.g., sqlservr.exe, msmqsvc.exe, exchsrvr.exe) or check for known pipe names used by these applications.

• Scenario: Security Tool for Pipe Monitoring
  Description: A security tool or SIEM