CORESHELL/SOURFACE Implant by APT28

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a known tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule IMPLANT_2_v6 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $STR1 = { e8 [2] ff ff 8b [0-6] 00 04 00 00 7F ?? [1-2] 00 02 00 00 7F
         ?? [1-2] 00 01 00 00 7F ?? [1-2] 80 00 00 00 7F ?? 83 ?? 40 7F}
   condition:
      (uint16(0) == 0x5A4D) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics the behavior of the CORESHELL/SOURFACE implant, such as downloading files or executing commands.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name (e.g., SystemMaintenanceTask).

• Scenario: Admin Performing Remote PowerShell Script Execution
  Description: An administrator uses PowerShell to remotely execute scripts for system configuration, which may trigger the detection due to similar command patterns.
  Filter/Exclusion: Exclude processes originating from powershell.exe with a known admin script name (e.g., Configure-System.ps1) or with the -Command parameter.

• Scenario: Software Update or Patch Deployment
  Description: A legitimate software update process downloads and executes a script or binary that resembles the implant’s behavior.
  Filter/Exclusion: Exclude processes initiated by a known update tool (e.g., Microsoft Update, WSUS, or PatchManager.exe) or with a known update file name.

• Scenario: Database Backup Job Execution
  Description: A scheduled database backup job uses a script or tool that performs file operations similar to the implant, such as copying or extracting files.
  Filter/Exclusion: Exclude processes initiated by a known backup tool (e.g., SQLBackupTool.exe, Veeam.exe) or with a known backup job name.

• Scenario: User-Initiated File Extraction for Documentation Purposes
  Description: A user extracts files from a compressed archive (e.g., .zip, .tar.gz) for documentation or analysis, which may trigger the rule due to file extraction behavior.
  Filter/Exclusion: Exclude processes initiated by a known archiving tool (e.g., 7-Zip.exe, `WinRAR