The hypothesis is that the detected code may be part of an APT’s wateringhole infrastructure, used to host malicious payloads for future exploitation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise vectors and disrupt adversary operations before they escalate.
YARA Rule
rule apt_c16_win_wateringhole
{
meta:
author = "@dragonthreatlab"
description = "Detects code from APT wateringhole"
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$str1 = "function runmumaa()"
$str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
$str3 = "function MoSaklgEs7(k)"
condition:
any of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system update via Windows Update
Filter/Exclusion: process.parent_process_name != "svchost.exe" OR process.name != "wuauclt.exe"
Scenario: Legitimate software deployment using Microsoft Endpoint Configuration Manager (MECM)
Filter/Exclusion: process.name != "setup.exe" OR process.parent_process_name != "msiexec.exe"
Scenario: Admin performing a disk cleanup or defragmentation task
Filter/Exclusion: process.name != "defrag.exe" OR process.name != "cleanmgr.exe"
Scenario: Use of a legitimate code signing tool like SignTool by developers
Filter/Exclusion: process.name != "SignTool.exe" OR process.parent_process_name != "VisualStudio.exe"
Scenario: Automated backup job using Veeam or similar backup software
Filter/Exclusion: process.name != "VeeamBackup.exe" OR process.parent_process_name != "VeeamBackupService.exe"