The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v5 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33
C9 ff 15 [2] 00 00 ff 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00
00 00 48 8B CC E8}
condition:
(uint16(0) == 0x5A4D) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Admin using PowerShell to configure system settings via Group Policy
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "gpedit.msc"
Scenario: Security team running a PowerShell script to audit user activity
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "powershell.exe" AND process.command_line contains "audit"
Scenario: Use of PowerShell for software deployment via SCCM (System Center Configuration Manager)
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "ccmexec.exe"
Scenario: Running a legitimate PowerShell module for system monitoring
Filter/Exclusion: process.name != "powershell.exe" OR process.command_line contains "Import-Module" AND process.command_line contains "SystemMonitor"