TheMask/Careto SGH component signature detects potential adversary activity associated with the Careto malware family, which may indicate the presence of a sophisticated, long-term persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded traditional detection methods.
YARA Rule
rule Careto_SGH
{
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
date = "2014/02/11"
strings:
$m1 = "PGPsdkDriver" ascii wide fullword
$m2 = "jpeg1x32" ascii wide fullword
$m3 = "SkypeIE6Plugin" ascii wide fullword
$m4 = "CDllUninstall" ascii wide fullword
condition:
2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate system update or patch deployment using Microsoft System Center Configuration Manager (SCCM)
Filter/Exclusion: Check for ProcessName containing msiexec.exe or setup.exe associated with known SCCM update packages.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by ProcessName containing veeam.exe and check for CommandLine containing backup or schedule.
Scenario: Administrative task involving Microsoft Defender ATP signature updates
Filter/Exclusion: Look for ProcessName containing MsDefenderATP.exe or MpCmdRun.exe with command line arguments related to signature updates.
Scenario: Legitimate use of the Windows Task Scheduler to run maintenance scripts
Filter/Exclusion: Filter by ProcessName containing schtasks.exe and check for CommandLine containing run or execute with known internal script paths.
Scenario: Use of the Windows Event Log viewer (eventvwr.exe) for log analysis
Filter/Exclusion: Filter by ProcessName containing eventvwr.exe and exclude processes launched from the Event Viewer GUI or known log analysis tools.