FE APT 9002

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential adversary activity related to a specific adversary group’s tactics, leveraging indicators linked to FE_APT_9002, which may indicate early-stage reconnaissance or initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate into more severe breaches.

YARA Rule

rule FE_APT_9002
{
    
    meta:
        Author      = "FireEye Labs"
        Date        = "2013/11/10"
        Description = "Strings inside"
        Reference   = "Useful link"
        
    strings:
        $mz = { 4d 5a }
        $a = "rat_UnInstall" wide ascii

    condition:
        ($mz at 0) and $a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job, is executing a script that matches the YARA rule due to similar file naming or content.
  Filter/Exclusion: Check for task scheduler or schtasks.exe in the process tree, and exclude files with C:\Windows\Tasks\ or C:\Windows\System32\task\sched\ in the file path.

• Scenario: Admin Performing Disk Cleanup or File Archiving
  Description: An administrator is running a script or tool like DelFix or CCleaner to clean up temporary files or archive old data, which may trigger the rule due to file patterns.
  Filter/Exclusion: Filter by process names like DelFix.exe, CCleaner.exe, or check for User-Agent strings associated with legitimate cleanup tools.

• Scenario: Legitimate Log File Rotation
  Description: A log rotation tool like logrotate (Linux) or Windows Event Log Management is generating or rotating log files that match the YARA signature.
  Filter/Exclusion: Check for file paths like /var/log/, /var/log/rotate/, or C:\Windows\System32\LogFiles\ and exclude files with .log, .gz, or .rotate extensions.

• Scenario: Software Update or Patch Deployment
  Description: A patching tool like Microsoft Update, WSUS, or Ansible is deploying updates that include files matching the YARA rule due to shared code or structure.
  Filter/Exclusion: Filter by process names like wusa.exe, wsusutil.exe, or ansible.exe, and exclude files in directories like C:\Windows\SoftwareDistribution\ or `/var/lib/update-manager/