CozyDuke / CozyCar / CozyBear Implant by APT29

Hunt Hypothesis

The detection identifies potential CozyDuke / CozyCar / CozyBear implants deployed by APT29, leveraging unusual network traffic patterns indicative of C2 communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats before they exfiltrate sensitive data or escalate within the environment.

YARA Rule

rule IMPLANT_10_v2 {
   meta:
      description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $xor = { 34 ?? 66 33 C1 48 FF C1 }
      $nop = { 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00}
   condition:
      uint16(0) == 0x5A4D and $xor and $nop
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup, log rotation) may trigger the rule due to similar command-line patterns.
  Filter/Exclusion: Check for schtasks.exe in the command line and ensure the task is registered in the Task Scheduler with a known legitimate name or path.

• Scenario: PowerShell Script for Admin Task
  Description: A PowerShell script executed by an admin for routine configuration management (e.g., Invoke-Command, Set-ItemProperty) may resemble CozyDuke’s PowerShell-based implants.
  Filter/Exclusion: Filter out PowerShell scripts that are signed by a trusted certificate or executed from known admin script directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).

• Scenario: Database Backup Job via SQL Server Agent
  Description: A SQL Server Agent job that runs sqlcmd.exe or osql.exe to perform database backups may trigger the rule due to similar process execution patterns.
  Filter/Exclusion: Filter events where sqlcmd.exe or osql.exe is used in conjunction with known SQL Server backup scripts or scheduled jobs.

• Scenario: Windows Update or Patching Process
  Description: The Windows Update Agent (wuauserv) or patching tools like dism.exe may trigger the rule due to process execution and command-line similarities.
  Filter/Exclusion: Exclude processes associated with wuauserv, dism.exe, or wuauclt.exe when they are running in the context of known update or patching tasks.

• Scenario: Custom Admin Script for Configuration Management
  Description: A custom admin script (e.g., configmgr.exe, `setup