The hypothesis is that the detection identifies potential Korplug/PlugX FAST variant activity through suspicious process execution or network behavior indicative of initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate to full-scale persistence or data exfiltration.
YARA Rule
rule Korplug_FAST {
meta:
description = "Rule to detect Korplug/PlugX FAST variant"
author = "Florian Roth"
date = "2015-08-20"
hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
strings:
$x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii
$a1 = "ShadowPlay" fullword ascii
$s1 = "%s\\rundll32.exe \"%s\"," fullword ascii
$s2 = "nvdisps.dll" fullword ascii
$s3 = "%snvdisps.dll" fullword ascii
$s4 = "\\winhlp32.exe" fullword ascii
$s5 = "nvdisps_user.dat" fullword ascii
$s6 = "%snvdisps_user.dat" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and
(
$x1 or
($a1 and 1 of ($s*)) or
4 of ($s*)
)
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate backup job initiated by Veeam may trigger the rule due to similar network traffic patterns.
Filter/Exclusion: Exclude traffic originating from the Veeam backup server IP or filter based on the process.name field matching veeam.exe or VeeamBackup.exe.
Scenario: Windows Task Scheduler Running Maintenance Script
Description: A scheduled task using PowerShell or a batch script (e.g., schtasks.exe) may generate network activity that resembles the behavior of the Korplug/PlugX variant.
Filter/Exclusion: Filter by process.name matching powershell.exe or cmd.exe and check for known legitimate scripts or paths (e.g., C:\Windows\System32\).
Scenario: Remote Desktop Services (RDP) Session Activity
Description: Normal RDP traffic or session management activities may be flagged due to similar connection patterns.
Filter/Exclusion: Exclude connections where the source IP is a known internal RDP client IP or filter by process.name matching mstsc.exe or rdpclip.exe.
Scenario: Software Update Deployment via Microsoft Endpoint Configuration Manager (MECM)
Description: MECM may initiate network traffic that resembles C2 communication, especially during patch deployment.
Filter/Exclusion: Filter by process.name matching ccmexec.exe or mpcmdrun.exe and check for known MECM update schedules or paths.
Scenario: Database Replication or Synchronization via SQL Server Agent Job
Description: A SQL Server Agent job performing replication or synchronization may generate outbound traffic that resembles malicious C2 activity.
Filter/Exclusion: Exclude traffic from SQL Server services (`sqlservr