CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a known tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v17  {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = { 24108b44241c894424148b4424246836 }
      $STR2 = { 518d4ddc516a018bd08b4de4e8360400 }
      $STR3 = { e48178061591df75740433f6eb1a8b48 }
      $STR4 = { 33d2f775f88b45d402d903c641321c3a }
      $STR5 = { 006a0056ffd083f8ff74646a008d45f8 }
   condition:
      (uint16(0) == 0x5A4D) and 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using PowerShell to clean temporary files.
  Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line not like "*Cleanup-SystemTempFiles*"

• Scenario: Legitimate Windows Update installation triggering script execution.
  Filter/Exclusion: process.parent_process_name != "wuauclt.exe" or process.command_line not like "*WindowsUpdate*"

• Scenario: Microsoft System Center Configuration Manager (SCCM) running a compliance check that executes scripts.
  Filter/Exclusion: process.parent_process_name != "ccmexec.exe" or process.command_line not like "*SCCM*"

• Scenario: Windows Task Scheduler running a legitimate system diagnostic tool like DISM or SFC /scannow.
  Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line not like "*DISM*" or "*SFC*"

• Scenario: Administrative PowerShell remoting used to manage remote servers, which may trigger script execution.
  Filter/Exclusion: process.parent_process_name != "powershell.exe" or process.command_line not like "*Invoke-Command*"