The APT15 RoyalCli backdoor is likely used by adversaries to establish persistent, covert communication channels within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise by advanced persistent threats.
YARA Rule
rule malware_apt15_royalcli_2{
meta:
author = "Nikolaos Pantazopoulos"
description = "APT15 RoyalCli backdoor"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
$string3 = "%snewcmd.exe" fullword
$string4 = "%s~clitemp%08x.tmp" fullword
$string5 = "hkcmd.exe" fullword
$string6 = "myWObject" fullword
condition:
uint16(0) == 0x5A4D and 2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Legitimate scheduled system maintenance using schtasks.exe
Filter/Exclusion: process.parent_process_name == "schtasks.exe" and process.command_line contains "schtasks /create"
Scenario: Admin performing remote PowerShell script execution via powershell.exe
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "Invoke-Command -ComputerName"
Scenario: Regular use of taskkill.exe to terminate non-malicious processes
Filter/Exclusion: process.name == "taskkill.exe" and process.command_line contains "/PID"
Scenario: System update or patching using msiexec.exe
Filter/Exclusion: process.name == "msiexec.exe" and process.command_line contains "/i"
Scenario: Database backup job using sqlcmd.exe
Filter/Exclusion: process.name == "sqlcmd.exe" and process.command_line contains "-S" and "-Q"