CommentCrew-threat-apt1 detects potential adversary behavior involving the use of comment-based PowerShell scripts to execute malicious commands, which may indicate a low-severity but persistent threat actor leveraging obfuscation techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule APT1_Revird_svc
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$dll1 = "nwwwks.dll" wide ascii
$dll2 = "rdisk.dll" wide ascii
$dll3 = "skeys.dll" wide ascii
$dll4 = "SvcHost.DLL.log" wide ascii
$svc1 = "InstallService" wide ascii
$svc2 = "RundllInstallA" wide ascii
$svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii
condition:
1 of ($dll*) and 2 of ($svc*)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to run diskdefrag.exe
Filter/Exclusion: process.name != "diskdefrag.exe" or process.parent.name == "task scheduler"
Scenario: Admin performing a database backup using sqlcmd with a scheduled job
Filter/Exclusion: process.name != "sqlcmd" or process.parent.name == "sqlagent"
Scenario: IT staff using PowerShell to automate user account creation via New-ADUser
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name == "mmc.exe"
Scenario: Regular log file rotation using logrotate on Linux systems
Filter/Exclusion: process.name != "logrotate" or process.parent.name == "cron"
Scenario: Security team running a network scan using nmap as part of a compliance check
Filter/Exclusion: process.name != "nmap" or process.parent.name == "task scheduler"