Find generic data potentially relating to AP15 tools

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential indicators of AP15 tool usage by searching for generic data patterns that may correlate with adversary activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and mitigate the risk of advanced persistent threats leveraging AP15 tools.

YARA Rule

rule malware_apt15_generic {
	meta:
		author = "David Cannings"
		description = "Find generic data potentially relating to AP15 tools"
		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
	strings:
	    // Appears to be from copy/paste code
		$str01 = "myWObject" fullword
		$str02 = "myRObject" fullword

	    /*
	      6A 02             push    2               ; dwCreationDisposition
	      6A 00             push    0               ; lpSecurityAttributes
	      6A 00             push    0               ; dwShareMode
	      68 00 00 00 C0    push    0C0000000h      ; dwDesiredAccess
	      50                push    eax             ; lpFileName
	      FF 15 44 F0 00 10 call    ds:CreateFileA
	    */
	    // Arguments for CreateFileA
		$opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
  	condition:
		2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
• Source Rule

False Positive Guidance

• Scenario: Legitimate system backup using Veeam Backup & Replication
  Filter/Exclusion: process.name != "veeambackup.exe" or check for known backup process names and exclude them.

• Scenario: Scheduled job for Microsoft SQL Server Agent performing routine maintenance
  Filter/Exclusion: process.name != "sqlservr.exe" or use a whitelist of known SQL Server maintenance tasks.

• Scenario: Admin task using PowerShell to configure network settings or update software
  Filter/Exclusion: process.name != "powershell.exe" or include a whitelist of known admin PowerShell scripts or commands.

• Scenario: Regular log file rotation using Logrotate on Linux systems
  Filter/Exclusion: process.name != "logrotate" or check for known logrotate command patterns and exclude them.

• Scenario: Use of Ansible for configuration management and deployment
  Filter/Exclusion: process.name != "ansible" or include a whitelist of known Ansible playbook names and execution contexts.