Detects ELF obfuscation technique used by Sindoor dropper related to APT 36

Hunt Hypothesis

The hypothesis is that the detection of ELF obfuscation in a file indicates the presence of the Sindoor dropper, a known tool associated with APT 36, which is used to deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential APT 36 intrusions early in the attack lifecycle.

YARA Rule

rule SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25 {
   meta:
      description = "Detects ELF obfuscation technique used by Sindoor dropper related to APT 36"
      author = "Pezier Pierre-Henri"
      date = "2025-08-29"
      score = 70
      reference = "Internal Research"
      hash = "6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443"
      id = "97802224-0d8b-5691-a6f1-f031626cda53"
   strings:
      $s1 = "UPX!"
   condition:
      filesize < 10MB
      and uint16(0) == 0
      and uint16(4) > 0
      and $s1 in (0xc0..0x100)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Internal Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate ELF file obfuscation for code signing or packaging
  Description: A developer uses a tool like elf2bin or strip to obfuscate an ELF binary as part of a packaging or signing process.
  Filter/Exclusion: Check for known development tools in the process command line or file metadata (e.g., file command output indicating it’s a valid executable). Exclude files with known signing tools or build directories.

• Scenario: Scheduled system maintenance job using obfuscated scripts
  Description: A system administrator runs a scheduled job using a tool like cron or systemd that executes an obfuscated ELF binary for routine maintenance (e.g., log rotation, disk cleanup).
  Filter/Exclusion: Filter by process owner (e.g., root or sysadmin), check for presence of cron or systemd in the parent process, and exclude paths commonly used for scheduled tasks (e.g., /etc/cron.d/, /var/spool/cron/).

• Scenario: Security tool or SIEM agent using obfuscated binaries
  Description: A security tool like OSSEC or ELK Stack uses an obfuscated ELF binary for internal processing or data collection.
  Filter/Exclusion: Exclude binaries located in known security tool directories (e.g., /opt/ossec/, /usr/share/elk/) and check for known tool signatures or version strings.

• Scenario: Admin task involving binary manipulation using objdump or readelf
  Description: An admin uses objdump or readelf to analyze or modify an ELF binary for debugging or compatibility purposes.
  Filter/Exclusion: Filter by command line arguments (e.g., presence of --help, --info, or --output),