The APT OLE JSRat rule detects the presence of a JavaScript-based remote access trojan embedded within Office documents, which could indicate adversary persistence and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced persistent threat (APT) activities.
YARA Rule
rule APT_OLE_JSRat : maldoc APT
{
meta:
author = "Rahul Mohandas"
Date = "2015-06-16"
Description = "Targeted attack using Excel/word documents"
strings:
$header = {D0 CF 11 E0 A1 B1 1A E1}
$key1 = "AAAAAAAAAA"
$key2 = "Base64Str" nocase
$key3 = "DeleteFile" nocase
$key4 = "Scripting.FileSystemObject" nocase
condition:
$header at 0 and (all of ($key*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled system maintenance using PowerShell scripts that generate OLE objects.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "task scheduler"
Scenario: Microsoft Excel macro-enabled files used for data automation by the finance team.
Filter/Exclusion: file.name contains "finance" or file.name contains "xlsx"
Scenario: Windows Task Scheduler job that runs a legitimate VBScript to automate report generation.
Filter/Exclusion: process.parent.name contains "task scheduler" or process.name contains "cscript.exe"
Scenario: Microsoft Word document with embedded OLE objects used for document formatting by the marketing team.
Filter/Exclusion: file.name contains "marketing" or file.name contains "docx"
Scenario: System Center Configuration Manager (SCCM) deployment that includes OLE objects for custom reporting.
Filter/Exclusion: process.name contains "ccmexec.exe" or process.parent.name contains "sccm"