Elise Backdoor Trojan

Hunt Hypothesis

The Elise Backdoor Trojan is likely being used by adversaries to establish persistent, stealthy access to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration risks.

YARA Rule

rule EliseLotusBlossom
{

meta:
    author = "Jose Ramon Palanco"
    date = "2015-06-23"
    description = "Elise Backdoor Trojan"
    ref = "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"

strings:
    $magic = { 4d 5a }
    $s1 = "\",Update" wide
    $s2 = "LoaderDLL.dll"
    $s3 = "Kernel32.dll"
    $s4 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}"
    $s5 = "\\Network\\" wide
    $s6 = "0SSSSS"
    $s7 = "441202100205"
    $s8 = "0WWWWW"

condition:
    $magic at 0 and all of ($s*)    
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running via Task Scheduler to perform system updates or maintenance.
  Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "schtasks.exe"

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator is using Remote Desktop Protocol (RDP) to access a server and is executing commands that may trigger the rule.
  Filter/Exclusion: process.parent_process == "mstsc.exe" or process.user == "admin_account"

• Scenario: Logon Script Execution
  Description: A logon script is running upon user authentication, which may include legitimate command executions.
  Filter/Exclusion: process.parent_process == "logonui.exe" or process.command_line contains "logonscript"

• Scenario: Database Backup Job
  Description: A database backup job is running via SQL Server Agent, which may involve command-line tools or scripts.
  Filter/Exclusion: process.parent_process == "sqlservr.exe" or process.command_line contains "sqlbackup"

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script is being run by a system admin to monitor system performance or security status.
  Filter/Exclusion: process.parent_process == "powershell.exe" and process.command_line contains "monitor" or "system"