Detects a signing certificate used by the Winnti APT group

Hunt Hypothesis

The hypothesis is that the detection of a signing certificate associated with the Winnti APT group indicates potential adversarial code signing activity aimed at evading detection and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging compromised code signing infrastructure.

YARA Rule

rule Winnti_signing_cert 
{

    meta:
        description = "Detects a signing certificate used by the Winnti APT group"
        author = "Florian Roth"
        reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/"
        date = "2015-10-10"
        score = 75
        hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
        hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"

    strings:
        $s1 = "Guangzhou YuanLuo Technology Co." ascii
        $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
        $s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/
• Source Rule

False Positive Guidance

• Scenario: A system administrator uses a certificate signed by the Winnti APT group for internal tooling (e.g., a custom PowerShell script signing certificate).
  Filter/Exclusion: Exclude certificates used by internal tools or signed by internal CA, e.g., cert.subject contains "Internal CA" or cert.issuer contains "Internal CA"

• Scenario: A scheduled job runs a legitimate third-party tool (e.g., Microsoft Endpoint Configuration Manager) that uses a certificate associated with the Winnti APT group.
  Filter/Exclusion: Exclude known legitimate tools, e.g., process.name contains "ConfigMgr" or process.name contains "Microsoft Endpoint"

• Scenario: An admin task involves importing a certificate from a trusted source (e.g., certutil -addstore -user TrustedPublisher "cert.cer") that happens to match a Winnti certificate.
  Filter/Exclusion: Exclude certificate import activities by admin users, e.g., user.account contains "admin" or user.account contains "domainadmin"

• Scenario: A legitimate software update process (e.g., Windows Update) uses a certificate that is falsely identified as being associated with the Winnti APT group.
  Filter/Exclusion: Exclude certificate usage during software updates, e.g., process.name contains "wuauclt" or process.name contains "Windows Update"

• Scenario: A developer signs a build artifact (e.g., a .msi file) using a certificate that is mistakenly flagged as being linked to the Winnti APT group.
  Filter/Exclusion: Exclude certificate usage during build processes, e.g., process.name contains "msbuild" or process.name contains "dotnet"