CommentCrew-threat-apt1 detects potential adversary behavior involving the use of comment-based payloads or obfuscated scripts commonly associated withAPT1 tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule APT1_aspnetreport
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$url = "aspnet_client/report.asp" wide ascii
$param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
$pay1 = "rusinfo.exe" wide ascii
$pay2 = "cmd.exe" wide ascii
$pay3 = "AdobeUpdater.exe" wide ascii
$pay4 = "buildout.exe" wide ascii
$pay5 = "DefWatch.exe" wide ascii
$pay6 = "d.exe" wide ascii
$pay7 = "em.exe" wide ascii
$pay8 = "IMSCMig.exe" wide ascii
$pay9 = "localfile.exe" wide ascii
$pay10 = "md.exe" wide ascii
$pay11 = "mdm.exe" wide ascii
$pay12 = "mimikatz.exe" wide ascii
$pay13 = "msdev.exe" wide ascii
$pay14 = "ntoskrnl.exe" wide ascii
$pay15 = "p.exe" wide ascii
$pay16 = "otepad.exe" wide ascii
$pay17 = "reg.exe" wide ascii
$pay18 = "regsvr.exe" wide ascii
$pay19 = "runinfo.exe" wide ascii
$pay20 = "AdobeUpdate.exe" wide ascii
$pay21 = "inetinfo.exe" wide ascii
$pay22 = "svehost.exe" wide ascii
$pay23 = "update.exe" wide ascii
$pay24 = "NTLMHash.exe" wide ascii
$pay25 = "wpnpinst.exe" wide ascii
$pay26 = "WSDbg.exe" wide ascii
$pay27 = "xcmd.exe" wide ascii
$pay28 = "adobeup.exe" wide ascii
$pay29 = "0830.bin" wide ascii
$pay30 = "1001.bin" wide ascii
$pay31 = "a.bin" wide ascii
$pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii
condition:
$url and $param and 1 of ($pay*)
}This YARA rule can be deployed in the following contexts:
This rule contains 36 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that includes the string “CommentCrew” as part of a log message or comment.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or check for process.parent.name == "schtasks.exe" and verify the script content.
Scenario: Admin Task for User Management
Description: An administrator uses PowerShell to manage user accounts, and the script includes a comment like “CommentCrew” for documentation.
Filter/Exclusion: process.name == "powershell.exe" AND user.name == "Administrator" AND event_id == 4648 or check for event_data.Comment containing “CommentCrew” in a known admin script.
Scenario: Log File Parsing with CommentCrew in Metadata
Description: A log file parsing tool (e.g., Splunk, ELK) includes the term “CommentCrew” in its metadata or configuration as part of a field name.
Filter/Exclusion: source == "splunk" OR source == "elasticsearch" or check for field.name == "CommentCrew" in the log parsing configuration.
Scenario: Backup Job with CommentCrew in Script
Description: A backup script (e.g., using rsync, robocopy, or Veeam) includes a comment with “CommentCrew” for version control or documentation.
Filter/Exclusion: process.name == "rsync.exe" OR process.name == "robocopy.exe" OR process.name == "veeam.exe" or check for script.comment == "CommentCrew" in the backup script.
Scenario: Network Monitoring Tool with CommentCrew in Alert Message
*Description