The hypothesis is that the detection of a malicious MSI file associated with the Duqu2 APT could indicate an adversary attempting to establish a foothold in the network through covert payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration activities.
YARA Rule
rule APT_Kaspersky_Duqu2_procexp
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a"
hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79"
hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d"
strings:
$x1 = "svcmsi_32.dll" fullword wide
$x2 = "msi3_32.dll" fullword wide
$x3 = "msi4_32.dll" fullword wide
$x4 = "MSI.dll" fullword ascii
$s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
$s2 = "Sysinternals installer" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Process Explorer" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) ) and ( all of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator installs a legitimate MSI package using Group Policy or a deployment tool like Microsoft Endpoint Configuration Manager (MECM).
Filter/Exclusion: Check the File field for known enterprise MSI packages (e.g., MicrosoftOffice2016.msi) or use a filter like process.parent_process_name == "msiexec.exe" with a known trusted parent process.
Scenario: A scheduled job runs a legitimate update or patching task using Windows Update or WSUS, which may trigger the rule due to MSI file execution.
Filter/Exclusion: Use a filter like process.name == "wuauserv.exe" or process.name == "svchost.exe" with a known service name, or exclude processes associated with Windows Update.
Scenario: A developer or DevOps engineer uses PowerShell or Chef to deploy a custom MSI package as part of an automation pipeline.
Filter/Exclusion: Include a filter like process.name == "powershell.exe" with a known script path or use a process.parent_process_name filter to identify trusted automation tools.
Scenario: A user downloads and installs a legitimate software update from a trusted source, such as Adobe Acrobat or Java Runtime Environment, which is packaged as an MSI.
Filter/Exclusion: Use a filter like file.name == "AdobeAcrobatReaderDC.msi" or file.name == "jre-8u301.msi" to exclude known legitimate MSI files.
Scenario: A system is running a Windows Task Scheduler job that executes an MSI file as part of a routine maintenance task, such as log cleanup or configuration reset.
Filter/Exclusion: Filter by process.name == "schtasks.exe" or use a process.parent_process_name filter to identify known