CommentCrew-threat-apt1

Hunt Hypothesis

CommentCrew-threat-apt1 detects potential adversary behavior involving suspicious comment creation or modification in Azure resources, which may indicate reconnaissance or persistence activities. SOC teams should proactively hunt for this behavior to identify early-stage threats and prevent lateral movement or data exfiltration in their Azure Sentinel environment.

YARA Rule

rule LIGHTDART_APT1
{

    meta:
        author = "AlienVault Labs"
        info = "CommentCrew-threat-apt1"
        
    strings:
        $s1 = "ret.log" wide ascii
        $s2 = "Microsoft Internet Explorer 6.0" wide ascii
        $s3 = "szURL Fail" wide ascii
        $s4 = "szURL Successfully" wide ascii
        $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that includes a comment containing “Crew” or similar text.
  Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or check for process.parent.name == "schtasks.exe" and script.name == "maintenance.ps1"

• Scenario: Admin Task for User Management
  Description: An administrator uses PowerShell to add a user with a comment field that includes “Crew” as part of a username or note.
  Filter/Exclusion: process.name != "powershell.exe" OR script.name != "add-user.ps1" or check for process.parent.name == "cmd.exe" and script.argument != "add-user.ps1"

• Scenario: Log File Parsing or Data Import
  Description: A data import or log parsing script includes a comment with “Crew” in the log file or CSV data.
  Filter/Exclusion: process.name != "importtool.exe" OR file.name != "import_data.csv" or check for process.parent.name == "logparser.exe" and file.path != "logs/import_data.csv"

• Scenario: Internal Documentation or Notes
  Description: An employee adds a comment in an internal documentation tool (e.g., Confluence, SharePoint) that includes “Crew” as part of a note or tag.
  Filter/Exclusion: process.name != "confluence.exe" OR file.name != "internal_notes.txt" or check for process.parent.name == "chrome.exe" and file.path != "docs/internal_notes.txt"

• Scenario: Legacy System Compatibility Check
  Description: A compatibility check script runs on an older system and includes a comment with “Crew” as part of a legacy configuration.