The detection identifies potential adversary activity where an encoded version of the pcclient tool is present on disk, which may indicate preparation for execution or evasion of standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware deployment attempts and disrupt adversary operations before execution.
YARA Rule
rule apt_c16_win_disk_pcclient
{
meta:
author = "@dragonthreatlab"
md5 = "55f84d88d84c221437cd23cdbc541d2e"
description = "Encoded version of pcclient found on disk"
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
condition:
$header at 0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PsExec to remotely deploy a legitimate version of pcclient to multiple endpoints for endpoint protection setup.
Filter/Exclusion: Exclude processes initiated by PsExec or any process with psexec.exe in the command line.
Scenario: A scheduled job runs a script that temporarily writes a base64-encoded version of pcclient to the disk as part of a deployment or testing process.
Filter/Exclusion: Exclude files created by scheduled tasks with known names or paths, such as C:\Windows\Temp\deploy_temp.exe.
Scenario: A third-party tool like Sysinternals Process Explorer or Process Monitor is used to inspect or dump memory contents, which may include encoded binaries.
Filter/Exclusion: Exclude processes associated with known diagnostic tools like procmon.exe, procexp.exe, or handle.exe.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment includes a base64-encoded payload for secure delivery of pcclient.
Filter/Exclusion: Exclude files created by Windows Update or MEM-related services, such as C:\Windows\Temp\WindowsUpdate or C:\Windows\System32\wsus\.
Scenario: A custom script or PowerShell job is used to encode pcclient for obfuscation purposes during development or testing.
Filter/Exclusion: Exclude files with known development paths or names, such as C:\Dev\pcclient_encoded.exe or processes initiated by powershell.exe with specific command-line arguments.