Adversaries may use Azure Blob Storage to exfiltrate data by leveraging comment metadata in blob objects, which can be used to covertly transmit stolen information. SOC teams should proactively hunt for this behavior to detect potential data exfiltration attempts that evade traditional detection methods.
YARA Rule
rule BANGAT_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
$s8 = "end binary output" wide ascii
$s9 = "XriteProcessMemory" wide ascii
$s10 = "IE:Password-Protected sites" wide ascii
$s11 = "pstorec.dll" wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: Scheduled system maintenance job using task scheduler
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.name:"schtasks.exe"
Scenario: Admin performing a database backup using SQL Server Agent Job
Filter/Exclusion: process.parent_process_name:"sqlservr.exe" or process.name:"sqlagent.exe"
Scenario: IT staff using PowerShell to automate user account creation
Filter/Exclusion: process.name:"powershell.exe" and process.parent_process_name:"cmd.exe" or process.command_line:"New-LocalUser"
Scenario: Regular log file rotation using logrotate on Linux systems
Filter/Exclusion: process.name:"logrotate" or process.parent_process_name:"systemd"
Scenario: System update via Windows Update or WSUS
Filter/Exclusion: process.name:"wuauclt.exe" or process.parent_process_name:"svchost.exe"