apt sofacy | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Sofacy APT activity through suspicious file execution or persistence behaviors commonly associated with this adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage Sofacy attacks before they escalate.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dat",'
     or ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dll",#1'
| top 100 by Timestamp desc

Analytic Rule Definition

id: 36a6028d-f977-455f-be11-669e993a25d6
name: apt sofacy
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dat",'
       or ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dll",#1'
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt sofacy.yaml)

False Positive Guidance

Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to file system activity resembling data exfiltration.
Filter/Exclusion: process.name != "VeeamBackup.exe" or check for process.parent.name == "VeeamBackup.exe" and process.name == "vssadmin.exe".
Scenario: Windows Update or Patching via Windows Server Update Services (WSUS)
Description: WSUS may execute scripts or tools that resemble malicious activity during patch deployment, such as using PsExec or WMIC for remote execution.
Filter/Exclusion: process.name != "wuauserv.exe" or process.parent.name == "svchost.exe" and process.name == "wuauserv.exe".
Scenario: Admin Task Using PowerShell for System Monitoring
Description: An admin may use PowerShell scripts (e.g., Get-EventLog, Get-Service) to monitor system health, which could match the rule’s logic for unusual process execution.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name == "explorer.exe" and process.name == "powershell.exe" with a known admin script path.
Scenario: Log Collection Using Splunk Forwarder
Description: The Splunk Universal Forwarder may execute scripts or use tools like logrotate or rsync to collect logs, which could be flagged by the rule.
Filter/Exclusion: process.name != "splunkforwarder" or process.parent.name == "splunkforwarder" and process.name == "logrotate" or rsync.
Scenario: Database Maintenance Using SQL Server Agent Jobs