The hypothesis is that the detection rule identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated malware used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v2 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8]
48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses coreshell or sourface as part of a maintenance routine (e.g., log rotation, backup, or system cleanup).
Filter/Exclusion: Check for task scheduler or schtasks.exe in the process tree, or filter by CommandLine containing known maintenance scripts.
Scenario: Admin Performing CoreShell Configuration
Description: An administrator is configuring or troubleshooting the CoreShell service, which may involve executing commands that match the detection logic.
Filter/Exclusion: Filter by User field to include only known admin accounts, or check for coreshell in the CommandLine with known configuration flags.
Scenario: Automated Patching Tool Using CoreShell
Description: A third-party patching tool (e.g., Microsoft Update, SCCM, or Ansible) uses CoreShell as part of its deployment process.
Filter/Exclusion: Filter by ProcessName to exclude known patching tools, or check for CommandLine containing patching-related arguments.
Scenario: Legitimate Software Installation via CoreShell
Description: A legitimate software package (e.g., a custom enterprise application) uses CoreShell for installation or deployment, triggering the detection logic.
Filter/Exclusion: Check for CommandLine containing known installation paths or package names, or filter by User to match authorized deployment accounts.
Scenario: CoreShell Used for Internal Monitoring Tool
Description: An internal monitoring or logging tool (e.g., custom SIEM integration) uses CoreShell to collect or process data.
Filter/Exclusion: Filter by ProcessName to exclude known monitoring tools, or check for CommandLine containing keywords like monitor, log, or collect.