CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a known tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v14 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89
         74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D
         04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76
         4C 89 6C 24  }
      $STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D
         04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7
         E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48
         FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
      $STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04
         1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1
         C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
      $STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03
         C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
   condition:
      (uint16(0) == 0x5A4D) and any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'

• Scenario: Admin using PowerShell to configure Windows Update settings
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Set-WindowsUpdate'

• Scenario: IT team deploying a legitimate PowerShell-based configuration management tool (e.g., Desired State Configuration)
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Start-DSCConfiguration%'

• Scenario: User running a legitimate script from a shared network drive for backup purposes
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%.\backup_script.ps1%'

• Scenario: System running a legitimate PowerShell module for monitoring system performance
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Import-Module PerformanceMonitor%'