Glasses family

Hunt Hypothesis

The rule detects potential adversary behavior involving the use of a custom tool or technique associated with the Glasses family, which may indicate initial compromise or reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to more severe breaches.

YARA Rule

rule Glasses : Family
{
    meta:
        description = "Glasses family"
        author = "Seth Hardy"
        last_modified = "2021-11-18"
        reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
        reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"
   
    condition:
        GlassesCode and GlassesStrings
        
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that modifies user profiles or system settings, which may trigger the “Glasses family” rule due to file or registry modifications.
  Filter/Exclusion: Exclude tasks associated with Task Scheduler and specifically filter out tasks with names like System Maintenance or User Profile Cleanup.

• Scenario: Admin User Performing User Profile Management
  Description: An admin user is manually adjusting user profiles, such as changing display settings or applying group policy preferences, which could be flagged by the rule.
  Filter/Exclusion: Exclude activity from admin users with known roles (e.g., Domain Admins, Enterprise Admins) or filter events where the subject is a known admin account.

• Scenario: Software Update or Patch Deployment
  Description: A legitimate software update or patch deployment (e.g., via SCCM, WSUS, or Microsoft Endpoint Manager) may modify system files or registry keys that match the rule’s criteria.
  Filter/Exclusion: Exclude events related to known update tools like Windows Update, SCCM, or Microsoft Endpoint Manager by checking the process name or event source.

• Scenario: User Profile Synchronization via Azure AD Connect
  Description: Azure AD Connect synchronizes user profiles between on-premises Active Directory and Azure AD, which may involve changes to user settings or profile data.
  Filter/Exclusion: Exclude events involving Azure AD Connect or processes like AzureADConnect.exe and filter out synchronization-related activities.

• Scenario: Third-Party Application Configuration Changes
  Description: A legitimate third-party application (e.g., Adobe, Microsoft Office, or Citrix) may modify user profile settings or system configurations during normal operation.
  Filter/Exclusion: Exclude events where the process is a known third-party