The X-Agent/CHOPSTICK Implant by APT28 is a high-impact adversary behavior used for long-term persistence and command and control, indicating potential compromise of critical systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data exfiltration or system disruption occurs.
YARA Rule
rule IMPLANT_3_v2 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$base_key_moved = {C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74
02 FF D0 C7 45 ?? 83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B
FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 C7 45 ?? B1 D1 FF FF C7
45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45
?? 33 35}
$base_key_b_array = {3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE
72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B
FF 55 8B EC 83 EC 10 A1 33 35 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task using schtasks.exe to run a script that mimics the behavior of the X-Agent/CHOPSTICK implant.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or scheduled job name (e.g., schtasks /run /tn "SystemMaintenance").
Scenario: PowerShell Script for Log Collection
Description: An enterprise PowerShell script used for log collection or monitoring that uses Invoke-Command or Invoke-WebRequest in a manner similar to the implant’s C2 communication.
Filter/Exclusion: Exclude processes where the script path contains known log collection tools (e.g., C:\Windows\System32\logcollect.ps1) or where the command line includes –OutputPath or –LogPath.
Scenario: Admin Task for Software Deployment
Description: A legitimate admin task using msiexec.exe or setup.exe to deploy software that includes a payload mimicking the X-Agent/CHOPSTICK implant.
Filter/Exclusion: Exclude processes where the executable is signed by a known enterprise vendor (e.g., Microsoft, VMware) or where the command line includes a known deployment package (e.g., msiexec /i "software.msi").
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or Microsoft Network Monitor (NMM) is capturing traffic that resembles C2 communication from the X-Agent/CHOPSTICK implant.
Filter/Exclusion: Exclude processes where the executable is Wireshark.exe, NMM.exe, or tcpdump.exe, and filter traffic based on known monitoring tool ports (e.g., 12345, 8