Rule to detect Duqu 2.0 drivers

Hunt Hypothesis

The rule detects the potential deployment of Duqu 2.0 drivers, which are associated with advanced persistent threat activity and may indicate the presence of a sophisticated malware payload. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity before significant damage occurs.

YARA Rule

rule apt_duqu2_drivers 
{ 

    meta:
		copyright = "Kaspersky Lab"
		description = "Rule to detect Duqu 2.0 drivers"
		last_modified = "2015-06-09"
		version = "1.0"
	
    strings:
		$a1 = "\\DosDevices\\port_optimizer" wide nocase 
		$a2 = "romanian.antihacker" 
		$a3 = "PortOptimizerTermSrv" wide 
		$a4 = "ugly.gorilla1"
		$b1 = "NdisIMCopySendCompletePerPacketInfo" 
		$b2 = "NdisReEnumerateProtocolBindings"
		$b3 = "NdisOpenProtocolConfiguration"
	condition:
		uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Update or Patch Deployment
  Description: A legitimate system update or patch deployment may involve loading a driver or executable that matches the signature of the Duqu 2.0 driver.
  Filter/Exclusion: Check for process.name containing "wusa.exe" or "dism.exe" and filter by process.parent.name like "svchost.exe" or "taskeng.exe".

• Scenario: Scheduled Job for Driver Installation
  Description: An enterprise may schedule regular jobs to install or update drivers using tools like pnputil.exe or devcon.exe.
  Filter/Exclusion: Use process.name containing "pnputil.exe" or "devcon.exe" and check for process.parent.name like "schtasks.exe" or "task scheduler".

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may temporarily load or execute files that could be flagged as suspicious during a scan.
  Filter/Exclusion: Filter by process.name containing "kavsvc.exe", "bdagent.exe", or "mbam.exe" and check for process.parent.name like "svchost.exe" or "taskeng.exe".

• Scenario: Admin Task for Driver Signing or Verification
  Description: An administrator may use tools like signtool.exe or certutil.exe to sign or verify drivers, which could trigger the rule.
  Filter/Exclusion: Use process.name containing "signtool.exe" or "certutil.exe" and check for process.parent.name like "explorer.exe" or "cmd.exe" with known admin credentials.

• Scenario: Virtualization or Hyper-V Management
  Description: