Threat Group 3390 APT - Strings

Hunt Hypothesis

Threat Group 3390 APT actors may use hardcoded credentials, C2 domains, and malicious strings to establish persistence and exfiltrate data. Proactively hunting for these indicators in Azure Sentinel helps SOC teams identify and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule ThreatGroup3390_Strings 
{

    meta:
        description = "Threat Group 3390 APT - Strings"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 60
 
    strings:
        $s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii
        $s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
        $s3 = "ren *.rar *.zip" fullword ascii
        $s4 = "c:\\temp\\ipcan.exe" fullword ascii
        $s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
 
    condition:
        1 of them and filesize < 30KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://snip.ly/giNB
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using hardcoded credentials
  Description: A scheduled job (e.g., sqljob.exe) runs under a service account with hardcoded credentials for database access.
  Filter/Exclusion: Check for process.parent_process_name containing “SQL Server Agent” or “SQLJob” and exclude processes with process.name matching sqljob.exe and process.parent_process_name matching “sqlagent.exe”.

• Scenario: Admin task using C2 domain for internal tooling
  Description: An admin uses a domain (e.g., internal-c2.example.com) for internal command and control of a legitimate tool like PsExec or PowerShell for remote management.
  Filter/Exclusion: Exclude domains that match internal C2 infrastructure (e.g., internal-c2.example.com) and filter by process.name containing “PowerShell” or “PsExec”.

• Scenario: Malicious string in legitimate script for log analysis
  Description: A script used for log analysis (e.g., logparser.exe) contains a string matching a known malicious pattern, such as cmd.exe /c.
  Filter/Exclusion: Exclude processes with process.name matching logparser.exe or eventvwr.exe and filter by process.parent_process_name containing “Task Scheduler” or “Windows Event Log”.

• Scenario: Endpoint scanning tool using known malicious strings
  Description: An endpoint security tool (e.g., CrowdStrike FSD) includes a known malicious string in its scan logic for signature matching.
  Filter/Exclusion: Exclude processes with process.name matching “CrowdStrike” or “FSD” and filter by process.parent_process_name containing “Windows Defender” or “Endpoint Protection”.

• Scenario: Email gateway using malicious strings for phishing detection