The presence of the string ‘This cruft’ in logs or artifacts indicates potential use of known hacking tools like netcat or cryptcat, which are commonly associated with command and control activities. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats linked to the Project Sauron report.
YARA Rule
rule Hacktool_This_Cruft
{
meta:
description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report"
author = "Florian Roth"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
score = 60
strings:
$x1 = "This cruft" fullword
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and $x1 )
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate use of netcat for network testing
Filter/Exclusion: Check for the presence of netcat in the process name or command line, and exclude processes running under a known testing or DevOps team account.
Scenario: Scheduled job using cryptcat for secure file transfer
Filter/Exclusion: Filter out processes that are part of a known secure transfer job, such as those scheduled via cron or systemd and associated with a specific service or team.
Scenario: Admin task involving string manipulation in a script
Filter/Exclusion: Exclude processes where the string ‘This cruft’ appears in a script or log file as part of a legitimate string replacement or debugging task.
Scenario: Log file parsing or data processing tool
Filter/Exclusion: Exclude logs generated by tools like logrotate, grep, or awk that may include the string ‘This cruft’ as part of their output or processing.
Scenario: Security tool or SIEM configuration with hardcoded strings
Filter/Exclusion: Exclude entries from security tools like Splunk, ELK, or Graylog where the string is part of a predefined rule or configuration.