CommentCrew-threat-apt1 detects potential adversary behavior involving the use of comment-based PowerShell scripts to execute malicious commands, which may indicate a low-severity but persistent threat actor leveraging obfuscation techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.
YARA Rule
rule BISCUIT_GREENCAT_APT1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "zxdosml" wide ascii
$s2 = "get user name error!" wide ascii
$s3 = "get computer name error!" wide ascii
$s4 = "----client system info----" wide ascii
$s5 = "stfile" wide ascii
$s6 = "cmd success!" wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\Windows\System32\taskhost.exe"
Scenario: Database backup using SQL Server Agent Job
Filter/Exclusion: process.name:"sqlagent.exe" or process.parent_process_name:"sqlservr.exe"
Scenario: Admin performing a log analysis using LogParser
Filter/Exclusion: process.name:"LogParser.exe" or process.parent_process_name:"cmd.exe"
Scenario: User running a script to generate reports using PowerShell
Filter/Exclusion: process.name:"powershell.exe" and process.command_line:"-Command" with benign script content
Scenario: System update using Windows Update
Filter/Exclusion: process.name:"wuauclt.exe" or process.parent_process_name:"svchost.exe" with update in command line