The detection identifies potential deployment of the Sednit / EVILTOSS implant by APT28, indicating adversary presence within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this sophisticated malware in their Azure Sentinel environment.
YARA Rule
rule IMPLANT_6_v5 {
meta:
description = "Sednit / EVILTOSS Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 83 EC 18 8B 4C 24 24 B8 AB AA AA AA F7 E1 8B 44 24 20 53 55 8B
EA 8D 14 08 B8 AB AA AA AA 89 54 24 1C F7 E2 56 8B F2 C1 ED 02 8B DD
57 8B 7C 24 38 89 6C 24 1C C1 EE 02 3B DE 89 5C 24 18 89 74 24 20 0F
83 CF 00 00 00 8D 14 5B 8D 44 12 FE 89 44 24 10 3B DD 0F 85 CF 00 00
00 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA 83 F9 06 89 4C 24 38 0F 83
86 00 00 00 8A C3 B2 06 F6 EA 8B 54 24 10 88 44 24 30 8B 44 24 2C 8D
71 02 03 D0 89 54 24 14 8B 54 24 10 33 C0 8A 44 37 FE 03 D6 8B D8 8D
46 FF 0F AF DA 33 D2 BD 06 00 00 00 F7 F5 C1 EB 07 8A 04 3A 33 D2 32
D8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5
8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 0C 30 32 CB 88 0C 30 8B 4C 24 38
41 46 83 FE 08 89 4C 24 38 72 A1 8B 5C 24 18 8B 6C 24 1C 8B 74 24 20
8B 4C 24 10 43 83 C1 06 3B DE 89 4C 24 10 8B 4C 24 34 89 5C 24 18 0F
82 3C FF FF FF 3B DD 75 1A 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA EB
0D 33 C9 89 4C 24 38 E9 40 FF FF FF 33 C9 8B 44 24 24 33 D2 BE 06 00
00 00 89 4C 24 38 F7 F6 3B CA 89 54 24 24 0F 83 95 00 00 00 8A C3 B2
06 F6 EA 8D 1C 5B 88 44 24 30 8B 44 24 2C 8D 71 02 D1 E3 89 5C 24 34
8D 54 03 FE 89 54 24 14 EB 04 8B 5C 24 34 33 C0 BD 06 00 00 00 8A 44
3E FE 8B D0 8D 44 1E FE 0F AF D0 C1 EA 07 89 54 24 2C 8D 46 FF 33 D2
BB 06 00 00 00 F7 F3 8B 5C 24 2C 8A 04 3A 33 D2 32 D8 8D 46 01 F7 F5
8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B
44 24 14 02 D9 8A 0C 06 32 CB 88 0C 06 8B 4C 24 38 8B 44 24 24 41 46
3B C8 89 4C 24 38 72 8F 5F 5E 5D 5B 83 C4 18 C2 10 00 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., schtasks.exe) is executed to clean up temporary files or update system settings.
Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create or /delete, or filter by User matching a known service account.
Scenario: Microsoft Update Deployment
Description: A Windows Update deployment using wusa.exe or dism.exe triggers the rule due to similar behavior in file execution patterns.
Filter/Exclusion: Filter by ProcessName containing wusa.exe or dism.exe, or check for CommandLine containing --noauto-restart or --force.
Scenario: Admin PowerShell Script Execution
Description: An administrator runs a PowerShell script (e.g., powershell.exe -Command) to configure system settings or manage services.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing –NonInteractive or –NoProfile, or use a whitelisted script path.
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool (e.g., avgscan.exe, mcafee.exe) quarantines a file, which may trigger similar behavior to the implant.
Filter/Exclusion: Filter by ProcessName containing known antivirus executables, or check for ParentProcess matching an antivirus service.
Scenario: Log Collection and Analysis Tool
Description: A log collection tool (e.g., logparser.exe, splunkforwarder.exe) is used to gather system logs, which may trigger the rule due to file access patterns.
Filter/Exclusion: