Mirage APT

Hunt Hypothesis

The Mirage APT detection rule identifies potential adversary behavior involving obfuscated payloads and lateral movement within a network, which may indicate a sophisticated, stealthy attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage APT activity that may evade traditional detection methods.

YARA Rule

rule Mirage_APT
{
    meta:
        Author      = "Silas Cutler"
        Date        = "yyyy/mm/dd"
        Description = "Malware related to APT campaign"
        Reference   = "Useful link"
    
    strings:
        $a1 = "welcome to the desert of the real"
        $a2 = "Mirage"
        $b = "Encoding: gzip"
        $c = /\/[A-Za-z]*\?hl=en/

    condition: 
        (($a1 or $a2) or $b) and $c
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using Veeam Backup & Replication
  Description: A legitimate backup process using Veeam may trigger the Mirage APT YARA rule due to similar file patterns or strings.
  Filter/Exclusion: Check for process.name containing “Veeam” or “backup” and filter out processes related to backup jobs.

• Scenario: Windows Update or Patching via Windows Server Update Services (WSUS)
  Description: WSUS may execute scripts or use tools that match the Mirage APT rule due to similar command-line arguments or file names.
  Filter/Exclusion: Filter processes where process.name is “wuauclt.exe” or “wsus” and check for process.parent.name being “svchost.exe” or “services.exe”.

• Scenario: Admin Task Using PowerShell for Log Management with LogParser
  Description: A system administrator may use LogParser (from the Windows Server SDK) to process logs, which could match the Mirage APT rule.
  Filter/Exclusion: Filter for process.name containing “LogParser” and check for process.parent.name being “cmd.exe” or “powershell.exe” with known admin tasks.

• Scenario: Database Maintenance Job Using SQL Server Agent
  Description: SQL Server Agent jobs may execute scripts or use tools that resemble malicious activity, triggering the Mirage APT rule.
  Filter/Exclusion: Filter for process.name containing “sqlservr.exe” or “sqlagent.exe” and check for process.parent.name being “sqlservr.exe” or “services.exe”.

• Scenario: File Integrity Monitoring Tool Using Tripwire
  Description: Tripwire may generate files or use command-line tools that match the Mirage APT rule due to similar string patterns.
  Filter/Exclusion: Filter