The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated tool used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v8 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89
74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D
04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76
4C 89 6C 24 }
$STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D
04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7
E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48
FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
$STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04
1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1
C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
$STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03
C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
condition:
(uint16(0) == 0x5A4D) and any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process triggers a network connection to a known APT28 C2 server.
Filter/Exclusion: Exclude connections initiated by Veeam Backup & Replication or processes with the executable path containing veeam.
Scenario: A security team member is using Microsoft Sysinternals Procmon to monitor system activity, which results in a file creation event that matches the implant signature.
Filter/Exclusion: Exclude events where the process name is procmon.exe or the user is a member of the Security or Administrators group.
Scenario: A legitimate Windows Task Scheduler job is configured to run a script that uses PowerShell to interact with a remote server for log collection, which resembles the behavior of the implant.
Filter/Exclusion: Exclude events where the process is initiated by Task Scheduler and the command line includes powershell.exe with arguments related to log collection or monitoring.
Scenario: A developer is using Visual Studio to debug a remote application, which results in a network connection to a server that is falsely identified as a C2 server.
Filter/Exclusion: Exclude connections initiated by devenv.exe or processes running under the Visual Studio development environment.
Scenario: A system update or patching tool like Microsoft Update or WSUS is deploying a patch that requires communication with Microsoft servers, which is mistakenly flagged as a C2 connection.
Filter/Exclusion: Exclude connections to update.microsoft.com or wsusserver and processes associated with Windows Update or WSUS client.