CommentCrew-threat-apt1

Hunt Hypothesis

CommentCrew-threat-apt1 detects potential adversary behavior involving suspicious comment-based PowerShell scripts that may be used for initial access or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity from unknown or low-severity adversaries.

YARA Rule

rule DAIRY_APT1
{

    meta:
        author = "AlienVault Labs"
        info = "CommentCrew-threat-apt1"
        
    strings:
        $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
        $s2 = "KilFail" wide ascii
        $s3 = "KilSucc" wide ascii
        $s4 = "pkkill" wide ascii
        $s5 = "pklist" wide ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance job using task scheduler to run a legitimate script that includes a comment with “Crew” in the script header.
  Filter/Exclusion: Exclude events where the source is Task Scheduler and the script path contains known maintenance scripts (e.g., C:\Windows\System32\schedtasks\*).

• Scenario: Admin performing a system audit using PowerShell with a script that includes a comment referencing “Crew” as part of a log message or comment.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes known audit scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\*audit*).

• Scenario: Database backup job using SQL Server Agent that includes a comment in the backup script mentioning “Crew” as part of a version control tag.
  Filter/Exclusion: Exclude events where the process is sqlagent.exe and the job name contains “backup” or “db_backup”.

• Scenario: IT staff using Windows Event Viewer to generate a report that includes a comment with “Crew” in the report header.
  Filter/Exclusion: Exclude events where the source is Event Viewer and the event ID corresponds to report generation tasks (e.g., Event ID 6008, 6006, or custom report IDs).

• Scenario: System update deployment using Group Policy Management Console (GPMC) that includes a comment in the policy script referencing “Crew” as part of a version note.
  Filter/Exclusion: Exclude events where the process is gpmc.exe and the policy path includes known update deployment scripts (e.g., C:\Windows\System32\GroupPolicy\*).