The detection identifies the use of a modified CMD executable associated with the RoyalCli tool, which may indicate the presence of a compromised or malicious command-line interface. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity leveraging custom or patched command-line tools for persistence or execution.
YARA Rule
rule clean_apt15_patchedcmd{
meta:
author = "Ahmed Zaki"
description = "This is a patched CMD. This is the CMD that RoyalCli uses."
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
strings:
$ = "eisableCMD" wide
$ = "%WINDOWS_COPYRIGHT%" wide
$ = "Cmd.Exe" wide
$ = "Windows Command Processor" wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using RoyalCli to perform routine maintenance tasks, such as updating system configurations or managing services.
Filter/Exclusion: Check for the presence of RoyalCli.exe in the process tree or verify the command line arguments match known legitimate usage patterns.
Scenario: A scheduled job runs a PowerShell script that uses cmd.exe to execute a batch file that is part of a standard system update or patching process.
Filter/Exclusion: Exclude processes where the parent process is a known scheduler (e.g., schtasks.exe) and the command line includes standard update-related paths or scripts.
Scenario: A Windows Update task is being executed via Task Scheduler, which triggers a cmd.exe process to run a script or executable as part of the update process.
Filter/Exclusion: Exclude processes initiated by Task Scheduler and check for the presence of Windows Update-related command-line arguments or paths.
Scenario: A third-party tool (e.g., Microsoft Endpoint Manager (MEM) or Intune) uses cmd.exe to deploy configuration profiles or scripts to endpoints.
Filter/Exclusion: Exclude processes where the parent process is a known deployment tool (e.g., msiexec.exe, intunewin.exe) or check for deployment-related command-line parameters.
Scenario: A system diagnostic tool (e.g., Windows Performance Analyzer (WPA) or Process Monitor) uses cmd.exe to run scripts for log collection or analysis.
Filter/Exclusion: Exclude processes where the parent process is a known diagnostic tool and verify the command line includes standard log collection or analysis commands.