The hypothesis is that the detection identifies potential PlugX malware activity associated with the Codoso APT, which may indicate initial compromise or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT activity before it leads to data exfiltration or lateral movement.
YARA Rule
rule Codoso_PlugX_2
{
meta:
description = "Detects Codoso APT PlugX Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to clean temporary files or update system settings.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with CommandLine containing powershell.exe -Command and known benign scripts.
Scenario: Admin using Cobalt Strike for red team exercise
Description: A security team member is using Cobalt Strike to simulate an attack and test defenses.
Filter/Exclusion: Exclude processes with ProcessName containing cobaltstrike.exe or with ParentProcessName matching a known red team tool.
Scenario: System update via Windows Update or Microsoft Endpoint Manager
Description: A Windows Update or Microsoft Endpoint Manager (MEM) task is deploying patches or updates.
Filter/Exclusion: Exclude processes with ProcessName containing wuauclt.exe, msiexec.exe, or setup.exe associated with known update mechanisms.
Scenario: Legitimate use of PsExec for remote administration
Description: An administrator uses PsExec to run commands on remote systems for troubleshooting or configuration.
Filter/Exclusion: Exclude processes with ProcessName containing psexec.exe and where the ParentProcessName is a known administrative tool (e.g., taskmgr.exe, mmc.exe).
Scenario: Data exfiltration via legitimate cloud sync tool (e.g., OneDrive, Dropbox)
Description: A user is syncing large files to a cloud storage service as part of a legitimate data transfer process.
Filter/Exclusion: Exclude processes with ProcessName containing OneDrive.exe, Dropbox.exe, or sync.exe and where the file size or transfer pattern matches known cloud sync behavior.