The detection identifies potential adversary use of the Royal CLI tool through generic string patterns, which may indicate unauthorized or malicious command execution. SOC teams should proactively hunt for this behavior to uncover covert command-and-control activities or data exfiltration attempts leveraging the tool in their Azure Sentinel environment.
YARA Rule
rule malware_apt15_royalcli_1{
meta:
description = "Generic strings found in the Royal CLI tool"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
author = "David Cannings"
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
strings:
$ = "%s~clitemp%08x.tmp" fullword
$ = "qg.tmp" fullword
$ = "%s /c %s>%s" fullword
$ = "hkcmd.exe" fullword
$ = "%snewcmd.exe" fullword
$ = "%shkcmd.exe" fullword
$ = "%s~clitemp%08x.ini" fullword
$ = "myRObject" fullword
$ = "myWObject" fullword
$ = "10 %d %x\x0D\x0A"
$ = "4 %s %d\x0D\x0A"
$ = "6 %s %d\x0D\x0A"
$ = "1 %s %d\x0D\x0A"
$ = "3 %s %d\x0D\x0A"
$ = "5 %s %d\x0D\x0A"
$ = "2 %s %d 0 %d\x0D\x0A"
$ = "2 %s %d 1 %d\x0D\x0A"
$ = "%s file not exist" fullword
condition:
5 of them
}This YARA rule can be deployed in the following contexts:
Scenario: Royal CLI tool used for routine system monitoring
Filter/Exclusion: Check for the presence of known Royal CLI command prefixes (e.g., royal monitor, royal status) and exclude any instances where the command is part of a legitimate monitoring script or scheduled job.
Scenario: Royal CLI tool used for automated backup tasks
Filter/Exclusion: Exclude any logs or events where the command is executed as part of a scheduled backup job (e.g., royal backup --schedule daily) and verify the presence of backup-related timestamps or job IDs.
Scenario: Royal CLI tool used for user account management
Filter/Exclusion: Filter out commands that include user account management actions (e.g., royal user add, royal user modify) and ensure they are executed by authorized administrative accounts.
Scenario: Royal CLI tool used for log aggregation and analysis
Filter/Exclusion: Exclude any instances where the command is used in a log aggregation pipeline (e.g., royal log collect --target /var/log/) and verify that the command is part of a known log processing workflow.
Scenario: Royal CLI tool used for configuration deployment
Filter/Exclusion: Filter out commands that are part of a configuration deployment process (e.g., royal config apply --env production) and check for associated deployment timestamps or CI/CD pipeline identifiers.