IOC looks for events associated with the KORPLUG Backdoor linked to the recent operation greedy wonk activity.

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential KORPLUG Backdoor activity linked to the recent “greedy wonk” operation by monitoring suspicious event logs associated with known IOC indicators. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and mitigate the impact of advanced persistent threats.

YARA Rule

rule Korplug
{ 
	meta:
		maltype = "Korplug Backdoor"
        author = "https://github.com/reed1713"
		reference = "http://www.symantec.com/connect/blogs/new-sample-backdoorkorplug-signed-stolen-certificate"
		description = "IOC looks for events associated with the KORPLUG Backdoor linked to the recent operation greedy wonk activity."
		
	strings:
		$type="Microsoft-Windows-Security-Auditing"
		$eventid="4688"
		$data="ProgramData\\RasTls\\RasTls.exe"

		$type1="Microsoft-Windows-Security-Auditing"
		$eventid1="4688"
		$data1="ProgramData\\RasTls\\rundll32.exe"

		$type2="Microsoft-Windows-Security-Auditing"
		$eventid2="4688"
		$data2="ProgramData\\RasTls\\svchost.exe"
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• http://www.symantec.com/connect/blogs/new-sample-backdoorkorplug-signed-stolen-certificate
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled system maintenance task
  Description: A scheduled task using schtasks.exe is configured to run a routine system cleanup or patching process.
  Filter/Exclusion: Exclude events where the command line includes schtasks.exe and the task name contains “SystemMaintenance” or “Patch”.

• Scenario: Admin performing remote PowerShell remoting
  Description: An administrator is using powershell.exe with the -Command parameter to run remote management scripts across the network.
  Filter/Exclusion: Exclude events where the process is initiated by a user with elevated privileges (e.g., NT AUTHORITY\SYSTEM) and the command includes Invoke-Command or Enter-PSSession.

• Scenario: Legitimate software update deployment
  Description: A deployment tool like Chocolatey or WSUS is used to push updates to endpoints, which may include PowerShell scripts or executable files.
  Filter/Exclusion: Exclude events where the process is initiated by a known deployment tool (e.g., choco.exe, wsusutil.exe) and the file path is within a trusted update directory.

• Scenario: User running a legitimate security tool
  Description: A user is running a security tool like Malwarebytes or Bitdefender which may trigger file access or process creation events.
  Filter/Exclusion: Exclude events where the process name matches the security tool’s executable (e.g., mbam.exe, bdagent.exe) and the user is a non-administrator.

• Scenario: Database backup job execution
  Description: A SQL Server backup job is executed using sqlcmd.exe or sqlbackup.exe, which may generate process creation or file access events.
  Filter/Exclusion: Exclude events where the process is initiated by a