The hypothesis is that an adversary is using a Turla dropper to establish persistence by creating a temporary file and registering an auto-start service. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential Turla campaign activity and mitigate lateral movement risks.
YARA Rule
rule turla_dropper
{
meta:
maltype = "turla dropper"
ref = "https://github.com/reed1713"
reference = "http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf"
date = "3/13/2014"
description = "This sample was pulled from the bae systems snake campaign report. The Turla dropper creates a file in teh temp dir and registers an auto start service call \"RPC Endpoint Locator\"."
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="4688"
$data="AppData\\Local\\Temp\\rsys.exe"
$type1="Service Control Manager"
$eventid1="7036"
$data1="RPC Endpoint Locator"
$data2="running"
$type2="Service Control Manager"
$eventid2="7045"
$data3="RPC Endpoint Locator"
$data4="user mode service"
$data5="auto start"
condition:
($type and $eventid and $data) or ($type1 and $eventid1 and $data1 and $data2 and $type2 and $eventid2 and $data3 and $data4 and $data5)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A legitimate system update or patching tool (e.g., Microsoft Update, Windows Server Update Services) creates a temporary file in the system temp directory during installation.
Filter/Exclusion: Check the file’s hash against known good update files or use a filter based on the file name pattern used by the update tool.
Scenario: A scheduled task (e.g., Task Scheduler) runs a legitimate maintenance script that creates temporary files in the temp directory and registers a service for persistent execution.
Filter/Exclusion: Filter by the task name or the service name associated with the legitimate scheduled task, or check the file’s origin against known system maintenance scripts.
Scenario: An administrator manually creates a temporary file (e.g., using mktemp or tempfile in a script) and registers a service for testing or debugging purposes.
Filter/Exclusion: Exclude files created by known administrative tools or scripts, or filter based on the user context (e.g., User = SYSTEM or User = Admin).
Scenario: A legitimate third-party application (e.g., Adobe Acrobat, Microsoft Office) generates temporary files in the system temp directory and registers a service for background processing.
Filter/Exclusion: Use application-specific file name patterns or check the file’s hash against known legitimate application artifacts.
Scenario: A system cleanup tool (e.g., CCleaner, Windows Disk Cleanup) creates temporary files during its operation and may register a service for scheduled cleanup tasks.
Filter/Exclusion: Filter based on the tool’s name or process name, or check the file’s creation time and context against known cleanup operations.