CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v4 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53
         56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68
         [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}
   condition:
      (uint16(0) == 0x5A4D) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
  Filter/Exclusion: ProcessName == "schtasks.exe" || ProcessImage contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

• Scenario: Admin using PowerShell to configure network settings via Group Policy
  Filter/Exclusion: ProcessImage contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" && CommandLine contains "Set-NetFirewallRule"

• Scenario: System update or patching process using PowerShell for deployment
  Filter/Exclusion: ProcessImage contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" && CommandLine contains "Start-Process" || CommandLine contains "Invoke-Command"

• Scenario: IT team using PowerShell to automate user account creation or management
  Filter/Exclusion: ProcessImage contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" && CommandLine contains "New-LocalUser" || CommandLine contains "Add-LocalGroupMember"

• Scenario: Security tool or SIEM integration using PowerShell for log collection or monitoring
  Filter/Exclusion: ProcessImage contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" && CommandLine contains "Get-EventLog" || CommandLine contains "Get-WinEvent"