CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v3 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = {C1 EB 07 8D ?? 01 32 1C ?? 33 D2 }
      $STR2 = {2B ?? 83 ?? 06 0F 83 ?? 00 00 00 EB 02 33 }
      $STR3 = {89 ?? ?? 89 ?? ?? 89 55 ?? 89 45 ?? 3B ?? 0F 83 ?? 00 00 00 8D
         ?? ?? 8D ?? ?? FE }
   condition:
      (uint16(0) == 0x5A4D) and any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled job that deploys a legitimate configuration update using PowerShell scripts.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler or PowerShell.exe with a command line containing schtasks or Invoke-Command with known admin scripts.

• Scenario: A security team member is performing a penetration test using Metasploit to simulate a CORESHELL/SOURFACE implant for red team training.
  Filter/Exclusion: Exclude processes with the Metasploit framework (msfconsole, msfvenom) or with a command line containing msf or exploit in the arguments.

• Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task is deploying a patch that includes a file with a name similar to a malicious payload.
  Filter/Exclusion: Exclude processes initiated by Windows Update (wuauserv), Task Scheduler (with schtasks), or Microsoft Intune (MicrosoftIntuneManagement) services.

• Scenario: A backup job is running using Veeam or Acronis, and the backup process temporarily creates files with names resembling malicious implants.
  Filter/Exclusion: Exclude processes associated with Veeam Backup & Replication (veeam.exe) or Acronis True Image (Acronis.exe) during backup windows.

• Scenario: An IT support technician is using PsExec to remotely execute a script to troubleshoot a system, and the script has a filename similar to a known malicious payload.
  Filter/Exclusion: Exclude processes launched via PsExec (psexec.exe) or with a command line containing psexec or `