CommentCrew-threat-apt1 detects potential adversary behavior involving the use of comment-based payloads in PowerShell scripts, which may be used to exfiltrate data or execute malicious commands stealthily. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats.
YARA Rule
rule APT1_WEBC2_TABLE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$msg1 = "Fail To Execute The Command" wide ascii
$msg2 = "Execute The Command Successfully" wide ascii
/*
$gif1 = /\w+\.gif/
*/
$gif2 = "GIF89" wide ascii
condition:
3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system maintenance or backup job using task scheduler
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.name:"schtasks.exe"
Scenario: Admin performing a log cleanup or audit using logparser
Filter/Exclusion: process.name:"logparser.exe" or process.parent_process_name:"Windows Explorer"
Scenario: Database administrator running a routine query using sqlcmd
Filter/Exclusion: process.name:"sqlcmd.exe" or process.parent_process_name:"SQL Server Management Studio"
Scenario: IT staff deploying a software update via Group Policy
Filter/Exclusion: process.parent_process_name:"services.exe" or process.name:"gupdate.exe"
Scenario: User running a legitimate script for system monitoring using PowerShell
Filter/Exclusion: process.name:"powershell.exe" and process.command_line:"-Command" with known benign scripts