CommentCrew-threat-apt1 detects potential adversary behavior involving suspicious comment-based PowerShell scripts that may be used for initial access or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging script-based persistence.
YARA Rule
rule AURIGA_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm" AND process.name != "vbackup"
Scenario: Admin performing a Windows Update via Group Policy
Filter/Exclusion: process.name != "wusa.exe" AND process.name != "gpupdate.exe"
Scenario: Database maintenance task using SQL Server Agent Job
Filter/Exclusion: process.name != "sqlservr.exe" AND process.name != "sqlagent.exe"
Scenario: User running a PowerShell script for log rotation or file cleanup
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*logrotate*" AND process.args NOT LIKE "*cleanup*"
Scenario: IT staff using Ansible to deploy configuration changes
Filter/Exclusion: process.name != "ansible" AND process.name != "ansible-playbook"