The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a known tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v13 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF
[6-8] 48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
Filter/Exclusion: ProcessName != "powershell.exe" OR CommandLine NOT LIKE '%-Command%'
Scenario: Admin using PowerShell to configure Windows Update settings
Filter/Exclusion: ProcessName != "powershell.exe" OR CommandLine NOT LIKE '%Set-WindowsUpdate'
Scenario: Security tool (e.g., CrowdStrike or Microsoft Defender) performing a scan or update
Filter/Exclusion: ProcessName != "msdefender.exe" OR ProcessName != "CrowdStrike.exe"
Scenario: IT staff using PowerShell to deploy software via Group Policy or SCCM
Filter/Exclusion: CommandLine NOT LIKE '%sccm%' AND CommandLine NOT LIKE '%gpupdate%'
Scenario: System using PowerShell for log analysis or monitoring (e.g., using Get-EventLog)
Filter/Exclusion: CommandLine NOT LIKE '%Get-EventLog%' AND CommandLine NOT LIKE '%Get-Event'