The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v1 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance task using schtasks.exe
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Legitimate use of icacls.exe for file permissions management
Filter/Exclusion: process.name == "icacls.exe" or process.command_line contains "icacls"
Scenario: Admin task using taskkill.exe to terminate a non-malicious process
Filter/Exclusion: process.name == "taskkill.exe" or process.command_line contains "taskkill"
Scenario: Use of certutil.exe to install a trusted certificate
Filter/Exclusion: process.name == "certutil.exe" or process.command_line contains "certutil -addstore"
Scenario: PowerShell script executed by a system administrator for log cleanup
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "log cleanup" or process.user == "SYSTEM"