Glasses code features

Hunt Hypothesis

The rule detects potential adversary behavior involving the use of obfuscated or encoded code features that may be used to evade detection or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that leverage code obfuscation techniques.

YARA Rule

rule GlassesCode : Glasses Family 
{
    meta:
        description = "Glasses code features"
        author = "Seth Hardy"
        last_modified = "2021-11-18"
        reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
        reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/"

        
    strings:
        $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
        $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
        
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled backups using Veeam
  Description: Veeam backup jobs may generate network traffic that resembles “glasses code” patterns due to frequent data transfers.
  Filter/Exclusion: Exclude traffic originating from Veeam backup servers or associated with Veeam backup jobs using the src_ip or job_name field.

• Scenario: System updates via Windows Server Update Services (WSUS)
  Description: WSUS may trigger network activity that matches the detection logic due to the high volume of update packages being transferred.
  Filter/Exclusion: Exclude traffic involving WSUS servers or update packages using the dest_ip field or by checking for known WSUS package file names.

• Scenario: Log collection using Splunk Universal Forwarder
  Description: The Splunk Universal Forwarder sends logs to a Splunk indexer, which may generate traffic patterns similar to “glasses code” due to frequent, small data transfers.
  Filter/Exclusion: Exclude traffic from Splunk forwarders to Splunk indexers using the src_ip or dest_ip field, or by checking for Splunk-related headers in the logs.

• Scenario: Automated report generation via Power BI
  Description: Power BI services may generate periodic requests to data sources that resemble “glasses code” due to frequent, small data pulls.
  Filter/Exclusion: Exclude traffic from Power BI service instances or scheduled report jobs using the src_ip or job_name field.

• Scenario: Database replication using SQL Server
  Description: SQL Server replication processes may generate network traffic that matches the detection logic due to frequent synchronization of data between servers.
  Filter/Exclusion: Exclude traffic between SQL Server replicas using the src_ip and dest_ip fields, or by checking for SQL Server replication-specific ports or protocols.