CommentCrew-threat-apt1 detects potential adversary behavior involving suspicious comment-based PowerShell scripts that may be used for initial access or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity associated with advanced persistent threats.
YARA Rule
rule APT1_WEBC2_RAVE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "iniet.exe" wide ascii
$2 = "cmd.exe" wide ascii
$3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
$4 = "Device File System" wide ascii
condition:
3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "VeeamBackup.exe" or check for process.parent.name == "VeeamBackup.exe"
Scenario: Admin performing Windows Task Scheduler job to generate system reports
Filter/Exclusion: process.name != "schtasks.exe" or check for process.parent.name == "explorer.exe"
Scenario: Database administrator using SQL Server Management Studio (SSMS) to run maintenance scripts
Filter/Exclusion: process.name != "ssms.exe" or check for process.parent.name == "sqlservr.exe"
Scenario: IT staff using PowerShell to automate user account creation or password reset
Filter/Exclusion: process.name != "powershell.exe" or check for process.parent.name == "explorer.exe" and script.block != "malicious"
Scenario: System update using Windows Update or Group Policy deployment
Filter/Exclusion: process.name != "wuauclt.exe" or check for process.parent.name == "svchost.exe" and process.command_line contains "updatenow"