Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT

Hunt Hypothesis

Adversaries may use obfuscated .dat files to conceal shellcode and deploy the REDLEAVES RAT, leveraging the file’s commonality to evade basic detection. Proactively hunting for such obfuscated files in Azure Sentinel can help identify early-stage malware deployment attempts before they establish a persistent presence.

YARA Rule

rule REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief {
meta:
        description = "Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT"
        author = "USG"
        true_positive = "fb0c714cd2ebdcc6f33817abe7813c36" // handkerchief.dat
        reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"

strings:
        $RedleavesStringObfu = {73 64 65 5e 60 74 75 74 6c 6f 60 6d 5e 6d 64 60 77 64 72 5e 65 6d 6d 6c 60 68 6f 2f 65 6d 6d} // This is 'red_autumnal_leaves_dllmain.dll' XOR'd with 0x01
condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/alerts/TA17-117A
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate a .dat file as part of a scheduled job for log parsing.
  Filter/Exclusion: Exclude files created by PowerShell scripts with the PowerShell process name and originating from known admin tools or scheduled tasks.

• Scenario: A Windows Update or Group Policy deployment creates a temporary .dat file containing obfuscated data during the update process.
  Filter/Exclusion: Exclude files generated by processes associated with wuauclt.exe, gpupdate.exe, or msiexec.exe.

• Scenario: A backup tool like Veeam or Commvault generates a .dat file during a backup operation that includes obfuscated data as part of its archive format.
  Filter/Exclusion: Exclude files created by backup processes or from known backup tool executables.

• Scenario: A custom log parser or ETL tool (e.g., Splunk, ELK Stack) generates a .dat file containing obfuscated data as part of its data ingestion process.
  Filter/Exclusion: Exclude files created by processes associated with Splunk, Logstash, or other ETL tools.

• Scenario: A third-party application (e.g., Adobe Acrobat, Microsoft Office) generates a .dat file with obfuscated content during normal operation, such as temporary storage for user data.
  Filter/Exclusion: Exclude files created by known applications like AcroRd32.exe, Winword.exe, or Excel.exe.