The hypothesis is that the detection rule identifies potential APT10 group activity through the use of the MenuPass Uppercut technique, which is associated with initial access and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT10 campaigns before they escalate to data exfiltration or system compromise.
YARA Rule
rule APT_Uppercut {
meta:
description = "Detects APT10 MenuPass Uppercut"
author = "Colin Cowie"
reference = "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
date = "2018-09-13"
strings:
$ip1 = "51.106.53.147"
$ip2 = "153.92.210.208"
$ip3 = "eservake.jetos.com"
$c1 = "0x97A168D9697D40DD" wide
$c2 = "0x7CF812296CCC68D5" wide
$c3 = "0x652CB1CEFF1C0A00" wide
$c4 = "0x27595F1F74B55278" wide
$c5 = "0xD290626C85FB1CE3" wide
$c6 = "0x409C7A89CFF0A727" wide
condition:
any of them or
hash.md5(0, filesize) == "aa3f303c3319b14b4829fe2faa5999c1" or
hash.md5(0, filesize) == "126067d634d94c45084cbe1d9873d895" or
hash.md5(0, filesize) == "fce54b4886cac5c61eda1e7605483ca3"
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses certutil to verify a certificate, which may trigger the rule due to the use of certutil in a script.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name like SystemMaintenanceTask.
Scenario: Windows Update Installation
Description: During a Windows Update installation, certutil may be used to validate certificate chains, which could match the rule’s logic.
Filter/Exclusion: Exclude processes with the command line containing wuauclt.exe or WindowsUpdate.exe.
Scenario: Admin Performing Certificate Management
Description: An administrator uses certutil to manage or renew certificates, which may trigger the rule due to the presence of certificate-related commands.
Filter/Exclusion: Exclude processes initiated by an admin account with a known certificate management task name, such as CertManager.exe.
Scenario: PowerShell Script for Certificate Validation
Description: A PowerShell script is used to validate a certificate chain, which may include certutil commands and match the rule’s detection logic.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path is known and trusted (e.g., C:\Windows\System32\certutil.ps1).
Scenario: Third-Party Software Certificate Check
Description: A third-party application (e.g., Microsoft Endpoint Manager, SCCM, or third-party security tools) uses certutil to validate internal certificates, triggering the rule.
Filter/Exclusion: Exclude processes initiated by known third-party software or with a command line containing the software’s name (e.g., SCCM.exe, Microsoft.Endpoint.Manager.exe).