Detects Poseidon Group - Malicious Word Document

Hunt Hypothesis

The hypothesis is that the detection identifies a malicious Word Document used by the Poseidon Group to deliver payloads, leveraging document-based attack vectors common in advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from sophisticated adversaries like Poseidon Group.

YARA Rule

rule PoseidonGroup_MalDoc_1 
{

    meta:
        description = "Detects Poseidon Group - Malicious Word Document"
        author = "Florian Roth"
        reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
        date = "2016-02-09"
        score = 80
        hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b"

    strings:
        $s1 = "c:\\cmd32dll.exe" fullword ascii

    condition:
        uint16(0) == 0xcfd0 and filesize < 500KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/
• Source Rule

False Positive Guidance

• Scenario: Legitimate Word Document Generation via Microsoft Word
  Description: A user creates a standard Word document using Microsoft Word for internal reporting or documentation.
  Filter/Exclusion: process.name != "WINWORD.EXE" or process.name != "MSWORD.EXE"

• Scenario: Scheduled Backup Job Using PowerShell to Generate Word Documents
  Description: A scheduled task runs a PowerShell script that generates Word documents as part of an automated backup or reporting process.
  Filter/Exclusion: process.name != "POWERSHELL.EXE" or process.parent.name != "SCHTASKS.EXE"

• Scenario: System Administration Task Using Word to Generate Reports
  Description: An admin uses Word to create system status reports or configuration documentation.
  Filter/Exclusion: process.name != "WINWORD.EXE" or user.name != "admin_account"

• Scenario: Malware Analysis Lab Testing with Known Malicious Documents
  Description: Security researchers are testing a known malicious Word document in a sandboxed environment.
  Filter/Exclusion: process.parent.name != "VMware.exe" or process.parent.name != "VirtualBox.exe"

• Scenario: Automated Email Generation Using Word Templates
  Description: A script or application uses Word templates to generate and send out automated emails (e.g., for customer support or notifications).
  Filter/Exclusion: process.name != "WINWORD.EXE" or process.parent.name != "Outlook.exe"