CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v12 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00
         33 C9 ff 15 [2] 00 00 ff 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15
         ?? 00 00 00 48 8B CC E8}
   condition:
      (uint16(0) == 0x5A4D) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform routine system diagnostics and runs a script that inadvertently matches the detection logic due to similar string patterns.
  Filter/Exclusion: Exclude processes initiated by the Administrators group or those containing the string System.Diagnostics.

• Scenario: A scheduled job runs Task Scheduler to execute a legitimate maintenance script that includes base64 encoded data, which resembles the implant’s payload.
  Filter/Exclusion: Exclude tasks scheduled by Task Scheduler or those with a Run whether user is logged on or not flag set.

• Scenario: A security tool like Microsoft Defender ATP performs a memory dump analysis and generates a false positive due to the presence of known APT28-related strings in its own memory artifacts.
  Filter/Exclusion: Exclude processes related to Microsoft Defender ATP or those running under the Windows Defender service.

• Scenario: An IT admin uses PowerShell to deploy a legitimate software update that includes a base64-encoded payload for configuration purposes, which matches the detection logic.
  Filter/Exclusion: Exclude processes initiated by PowerShell with the Update or Deployment keyword in the command line.

• Scenario: A legitimate Windows Task Scheduler job runs a script that uses Cobalt Strike-like command and control (C2) techniques for internal communication, triggering the rule.
  Filter/Exclusion: Exclude tasks that use known C2 domains or IPs from the enterprise’s internal network or whitelisted external domains.