CozyDuke / CozyCar / CozyBear Implant by APT29

Hunt Hypothesis

The detection identifies potential CozyDuke / CozyCar / CozyBear implants deployed by APT29, leveraging unusual file execution patterns and network communication indicative of command and control activity. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats before they exfiltrate data or escalate within the Azure Sentinel environment.

YARA Rule

rule IMPLANT_10_v1 {
   meta:
      description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = {33 ?? 83 F2 ?? 81 E2 FF 00 00 00}
      $STR2 = {0F BE 14 01 33 D0 ?? F2 [1-4] 81 E2 FF 00 00 00 66 89 [6] 40 83
         F8 ?? 72}
   condition:
      uint16(0) == 0x5A4D and ($STR1 or $STR2)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Legitimate PowerShell script execution using PowerShell.exe for administrative tasks
  Filter/Exclusion: Exclude processes where the parent process is explorer.exe or cmd.exe and the command line contains known administrative tools like PowerShell.exe -Command with benign scripts (e.g., Get-Service, Get-EventLog).

• Scenario: Scheduled job running schtasks.exe to execute a legitimate maintenance script
  Filter/Exclusion: Exclude processes initiated by schtasks.exe that are associated with known enterprise maintenance tasks (e.g., C:\Windows\System32\schedtasks.exe running a script in C:\Windows\System32\).

• Scenario: Use of certutil.exe to download a signed certificate or update root certificates
  Filter/Exclusion: Exclude processes where certutil.exe is used to update or install trusted root certificates (e.g., certutil.exe -addstore -user Root certificate.cer).

• Scenario: Execution of msiexec.exe for legitimate software deployment
  Filter/Exclusion: Exclude processes where msiexec.exe is used to install or update enterprise software (e.g., msiexec.exe /i software.msi with known enterprise software packages).

• Scenario: Use of icacls.exe for file permission management by IT administrators
  Filter/Exclusion: Exclude processes where icacls.exe is used to modify file permissions for legitimate system or user management tasks (e.g., icacls.exe C:\Folder /grant User:R).