The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v15 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 }
$XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 }
$XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: Admin using PowerShell to configure system settings via Group Policy
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-File%'
Scenario: Use of PowerShell for legitimate remote management tasks (e.g., using Invoke-Command)
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-ComputerName%'
Scenario: Execution of a legitimate script for patch management or software deployment
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Script%'
Scenario: Use of PowerShell for log analysis or monitoring by the security team
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-InputFile%'