Zc tool v2

Hunt Hypothesis

The Zc tool v2 detection rule identifies potential adversary use of a custom tool for lateral movement or data exfiltration, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise efforts that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Plakpeer
{

    meta:
        author = "Microsoft"
        description = "Zc tool v2"
        original_sample_sha1 = "2155c20483528377b5e3fde004bb604198463d29"
        unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "@@E0020(%d)" wide
        $str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide
        $str3 = "---###---" wide
        $str4 = "---@@@---" wide

    condition:
        $str1 and $str2 and $str3 and $str4
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using task scheduler or cron jobs that invoke legitimate system tools like diskpart or format
  Filter/Exclusion: Check for command_line containing task scheduler or cron and exclude known maintenance scripts or jobs.

• Scenario: Admin performing disk cleanup using cleanmgr.exe or diskcleanup.exe
  Filter/Exclusion: Filter out processes with cleanmgr.exe or diskcleanup.exe in the process_name field.

• Scenario: Automated backup tool like Veeam Backup & Replication or Commvault performing routine backups
  Filter/Exclusion: Exclude processes associated with known backup tools by checking the process_name or command_line for specific tool names.

• Scenario: User running a legitimate disk defragmentation tool like defrag.exe or Optimize-Volume PowerShell cmdlet
  Filter/Exclusion: Filter out processes with defrag.exe or Optimize-Volume in the command_line or process_name.

• Scenario: System update or patching using Windows Update or WSUS that triggers disk operations
  Filter/Exclusion: Exclude processes related to Windows Update by checking the process_name or command_line for wuauclt.exe or wusa.exe.