The hypothesis is that the detected Remote Access Tool is associated with the APT Terracotta group and may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT activity early and prevent further lateral movement or data exfiltration.
YARA Rule
rule RemoteExec_Tool
{
meta:
description = "Remote Access Tool used in APT Terracotta"
author = "Florian Roth"
reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
date = "2015-08-04"
hash = "a550131e106ff3c703666f15d55d9bc8c816d1cb9ac1b73c2e29f8aa01e53b78"
strings:
$s0 = "cmd.exe /q /c \"%s\"" fullword ascii
$s1 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s2 = "This is a service executable! Couldn't start directly." fullword ascii
$s3 = "\\\\.\\pipe\\TermHlp_communicaton" fullword ascii
$s4 = "TermHlp_stdout" fullword ascii
$s5 = "TermHlp_stdin" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 75KB and 4 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate Remote Execution via PowerShell for System Maintenance
Description: An admin uses PowerShell to execute remote commands for system patching or configuration updates.
Filter/Exclusion: Check for ProcessName = "powershell.exe" and CommandLine containing known admin scripts or Invoke-Command with valid domain credentials.
Scenario: Scheduled Job Execution via PsExec for Patch Deployment
Description: A scheduled job uses PsExec to run maintenance tasks across multiple servers in the environment.
Filter/Exclusion: Filter by ProcessName = "psexec.exe" and check for CommandLine containing valid domain credentials and known patching scripts.
Scenario: Remote Desktop Protocol (RDP) Session with Admin Credentials
Description: An admin connects to a server via RDP using their domain credentials for troubleshooting.
Filter/Exclusion: Monitor for ProcessName = "mstsc.exe" and check for CommandLine containing valid domain credentials and known admin IP ranges.
Scenario: Remote Code Execution via SSH for DevOps Pipeline Tasks
Description: A DevOps engineer uses SSH to execute scripts on a remote server as part of a CI/CD pipeline.
Filter/Exclusion: Filter by ProcessName = "ssh.exe" and check for CommandLine containing known CI/CD tool names (e.g., Jenkins, GitLab) and valid SSH keys.
Scenario: Remote Monitoring Tool (e.g., Nagios) Checking System Health
Description: A monitoring tool like Nagios checks system health and executes remote commands to gather metrics.
Filter/Exclusion: Filter by ProcessName = "nagios.exe" or ProcessName = "check_nrpe.exe" and ensure the command is part of a known monitoring script set.