CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential CORESHELL/SOURFACE implant activity by APT28, characterized by suspicious process creation and network communication patterns indicative of C2 operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they escalate to data exfiltration or system compromise.

YARA Rule

rule IMPLANT_2_v10 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8]
         48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
   condition:
      (uint16(0) == 0x5A4D) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using PowerShell for system maintenance
  Description: A scheduled task runs a PowerShell script to perform routine system maintenance, such as log cleanup or service restarts.
  Filter/Exclusion: process.name != "powershell.exe" OR process.command_line NOT LIKE '*Cleanup*' AND process.command_line NOT LIKE '*Restart-Service*'

• Scenario: Admin using CoreShell for legitimate remote management
  Description: A system administrator uses CoreShell (a legitimate remote management tool) to manage multiple endpoints in the enterprise.
  Filter/Exclusion: process.name != "coreshell.exe" OR user_account != "admin_account" OR process.command_line NOT LIKE '*remote management*'

• Scenario: User running a legitimate tool with similar command-line arguments
  Description: A user runs a legitimate tool (e.g., sourface.exe from a trusted vendor) with command-line arguments that resemble the malicious implant.
  Filter/Exclusion: process.name != "sourface.exe" OR process.command_line NOT LIKE '*--config*' AND process.command_line NOT LIKE '*--inject*'

• Scenario: Automated patching tool using CoreShell for deployment
  Description: An automated patching tool uses CoreShell to deploy updates across the network, which is a common practice in enterprise environments.
  Filter/Exclusion: process.name != "coreshell.exe" OR process.command_line NOT LIKE '*patch deploy*' AND process.command_line NOT LIKE '*update deploy*'

• Scenario: Internal tool for internal communication using similar protocol
  Description: An internal tool (e.g., sourface.exe) is used for internal communication between systems, and its behavior is similar to the malicious implant.
  Filter/Exclusion: `process.name != “sourface.exe” OR process.command_line NOT LIKE ‘*internal