The detection identifies potential adversary activity where an APT malware is dropping the PcClient RAT, indicating a possible compromise and persistence mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT campaigns before they escalate.
YARA Rule
rule apt_c16_win32_dropper
{
meta:
author = "@dragonthreatlab"
md5 = "ad17eff26994df824be36db246c8fb6a"
description = "APT malware used to drop PcClient RAT"
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$mz = {4D 5A}
$str1 = "clbcaiq.dll" ascii
$str2 = "profapi_104" ascii
$str3 = "/ShowWU" ascii
$str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
$str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
condition:
$mz at 0 and all of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a script to clean temporary files or update system settings, may trigger the rule if the script name or content resembles the RAT’s behavior.
Filter/Exclusion: Check for ProcessName = "schtasks.exe" and CommandLine containing known maintenance commands (e.g., cleanmgr, diskcleanup, wuauclt).
Scenario: Admin User Running PowerShell Script for Patch Management
Description: An admin user may execute a PowerShell script to apply patches or configure system settings, which could be flagged if the script name or content matches the RAT’s signature.
Filter/Exclusion: Filter by User = "Administrator" and CommandLine containing patch management keywords (e.g., Update, Patch, WindowsUpdate).
Scenario: Legitimate Use of PsExec for Remote Administration
Description: IT administrators may use PsExec to remotely execute commands on managed systems, which could be mistaken for a malicious drop.
Filter/Exclusion: Filter by ProcessName = "PsExec.exe" and check for CommandLine containing valid administrative commands (e.g., cmd.exe, regedit, taskkill).
Scenario: Deployment of a Legitimate Endpoint Protection Tool
Description: A security tool like Microsoft Defender or Bitdefender may be deployed via a script or scheduled job, which could trigger the rule if the tool’s installation process is misclassified.
Filter/Exclusion: Filter by ProcessName containing known endpoint protection tool names (e.g., MsMpEng.exe, bdagent.exe) or check for CommandLine containing installation keywords (e.g., install, setup, configure).
**Scenario