Detects Cozy Bear / Fancy Bear C2 Server IPs

Hunt Hypothesis

The hypothesis is that the detected IP addresses are associated with Cozy Bear / Fancy Bear command and control servers, indicating potential ongoing adversary communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by these advanced persistent threat groups.

YARA Rule

rule COZY_FANCY_BEAR_Hunt 
{

    meta:
        description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
        author = "Florian Roth"
        reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
        date = "2016-06-14"

    strings:
        $s1 = "185.100.84.134" ascii wide fullword
        $s2 = "58.49.58.58" ascii wide fullword
        $s3 = "218.1.98.203" ascii wide fullword
        $s4 = "187.33.33.8" ascii wide fullword
        $s5 = "185.86.148.227" ascii wide fullword
        $s6 = "45.32.129.185" ascii wide fullword
        $s7 = "23.227.196.217" ascii wide fullword

    condition:
        uint16(0) == 0x5a4d and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system updates
  Description: A scheduled task runs to pull updates from a known Microsoft update server (e.g., update.microsoft.com).
  Filter/Exclusion: Exclude IP addresses associated with Microsoft update servers (e.g., 13.107.21.100, 52.166.16.100) using a static IP list or a regex pattern.

• Scenario: Internal administrative tool usage
  Description: An admin uses a legitimate internal tool (e.g., PowerShell or Task Scheduler) to connect to an internal C2 server for configuration management.
  Filter/Exclusion: Exclude internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or specific internal C2 servers used for administrative tasks.

• Scenario: Legitimate use of a third-party cloud service
  Description: A company uses a cloud service like AWS S3 or Azure Blob Storage for data storage, and the rule mistakenly flags the IP of an AWS or Azure endpoint.
  Filter/Exclusion: Exclude known cloud provider IPs (e.g., AWS IPs from ec2.amazonaws.com, Azure IPs from blob.core.windows.net) using a cloud provider IP list.

• Scenario: Use of legitimate remote management tools
  Description: An admin uses a remote management tool like PsExec or Remote Desktop Protocol (RDP) to connect to a remote server for troubleshooting.
  Filter/Exclusion: Exclude IPs associated with known remote management tools or internal admin servers using a static IP list or tool-specific filtering.

• Scenario: Legitimate use of a public DNS server
  *