The hypothesis is that the detection rule identifies potential command and control activity associated with the APT DeputyDog group, leveraging the Fexel technique to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversarial activity and prevent further compromise of the network.
YARA Rule
rule APT_DeputyDog_Fexel
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$180 = "180.150.228.102" wide ascii
$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
$cUp = "Upload failed! [Remote error code:" nocase wide ascii
$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbmbackup.exe" or check for process.parent.name == "vbmbackup.exe"
Scenario: Admin performing a Windows Update via Group Policy or WSUS
Filter/Exclusion: process.name != "wuauclt.exe" or check for process.parent.name == "services.exe"
Scenario: Legitimate PowerShell script execution for system maintenance (e.g., log cleanup)
Filter/Exclusion: process.name != "powershell.exe" or check for process.parent.name == "taskeng.exe" and script.file.name != "maintenance.ps1"
Scenario: SQL Server Agent Job running a scheduled query or maintenance task
Filter/Exclusion: process.name != "sqlservr.exe" or check for process.parent.name == "sqlagent.exe" and process.command_line contains "sqlagent"
Scenario: Docker container running a legitimate application with a suspicious file name
Filter/Exclusion: process.name != "docker.exe" or check for process.parent.name == "docker.exe" and process.command_line contains "run --name"