CommentCrew-threat-apt1 detects potential adversary behavior involving suspicious comment-based PowerShell scripts that may be used for initial access or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity associated with this adversary group.
YARA Rule
rule MoonProject
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "Serverfile is smaller than Clientfile" wide ascii
$b = "\\M tools\\" wide ascii
$c = "MoonDLL" wide ascii
$d = "\\M tools\\" wide ascii
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system maintenance using PowerShell scripts for log cleanup
Filter/Exclusion: process.parent_process != "powershell.exe" OR process.parent_process.contains("task scheduler")
Scenario: Admin performing Windows Update via Group Policy Management Console (GPMC)
Filter/Exclusion: process.name != "wusa.exe" OR process.parent_process.contains("gpmc.exe")
Scenario: Database backup job using SQL Server Agent executing T-SQL scripts
Filter/Exclusion: process.name != "sqlservr.exe" OR process.parent_process.contains("sqlagent.exe")
Scenario: IT staff using Windows Task Scheduler to run PowerShell scripts for user account management
Filter/Exclusion: process.parent_process.contains("schtasks.exe") OR process.name != "powershell.exe"
Scenario: System administrator using Sysmon (Microsoft Syslog Monitor) to monitor and log system events
Filter/Exclusion: process.name != "sysmon.exe" OR process.parent_process.contains("explorer.exe")