apt sofacy zebrocy | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Sofacy/Zebrocy APT activity through suspicious file execution or persistence behaviors commonly associated with this adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and mitigate the impact of a sophisticated threat actor leveraging known TTPs.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith "cmd.exe /c SYSTEMINFO & TASKLIST"
| top 100 by Timestamp desc

Analytic Rule Definition

id: 92f02b0b-cd8e-4d49-957c-5ad0ee86da65
name: apt sofacy zebrocy
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where ProcessCommandLine endswith "cmd.exe /c SYSTEMINFO & TASKLIST"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt sofacy zebrocy.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler) runs a script that uses curl or wget to download a file from an internal repository.
Filter/Exclusion: Check the source URL against internal IP ranges or internal domain names. Exclude tasks with known internal URLs or use a process.parent_process filter to identify system maintenance tasks.
Scenario: Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install or update software, which may involve downloading files from a public or internal repository.
Filter/Exclusion: Use process.name to exclude choco.exe or filter by process.parent_process to identify administrative tasks. Also, check the process.command_line for choco install commands.
Scenario: Admin User Performing Remote Debugging
Description: An admin user uses ssh or rdp to remotely debug an application, which may involve executing commands that resemble malicious behavior.
Filter/Exclusion: Filter by user.name to exclude known admin users. Use process.parent_process to identify remote session tools like ssh.exe or mstsc.exe.
Scenario: Legitimate File Transfer via PowerShell
Description: A PowerShell script is used to transfer files between servers using Invoke-WebRequest or Invoke-RestMethod, which may trigger the rule due to similar command patterns.
Filter/Exclusion: Check the process.name for powershell.exe and filter by process.command_line to identify legitimate file transfer scripts. Use a process.parent_process filter to identify known administrative scripts.
Scenario: Internal Reconnaissance Tool Usage
Description: A security team member uses a tool like PowerSploit or PoshC2 for