The detection identifies potential Duqu2 APT activity through the presence of a suspicious file associated with a known malicious sample, indicating possible adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement or data theft.
YARA Rule
rule APT_Kaspersky_Duqu2_msi3_32
{
meta:
description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3"
author = "Florian Roth"
reference = "https://goo.gl/7yKyOj"
date = "2015-06-10"
hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b"
strings:
$s0 = "ProcessUserAccounts" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s2 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
$s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
$s4 = "msi3_32.dll" fullword wide
$s5 = "RunDLL" fullword ascii
$s6 = "MSI Custom Action v3" fullword wide
$s7 = "msi3_32" fullword wide
$s8 = "Operating System" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 9203 times */
condition:
uint16(0) == 0x5a4d and filesize < 72KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: A system administrator is using Kaspersky Endpoint Security to perform a scheduled malware scan, which triggers the detection of the Duqu2 sample as part of a known threat database update.
Filter/Exclusion: Exclude events where the file is part of a Kaspersky signature update or scheduled scan by checking the process name (kavscan.exe or kavsvc.exe) and the file path containing Kaspersky or signature.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment includes a file with the same hash due to a false positive in the Kaspersky database.
Filter/Exclusion: Exclude files that are part of Windows Update or MEM deployment packages by checking the file path (e.g., C:\Windows\Temp\, C:\ProgramData\Microsoft\Windows\), or using the file type (e.g., .msi, .cab).
Scenario: A system backup job (e.g., Veeam Backup & Replication or Acronis True Image) includes a file with the same hash as a known Duqu2 sample due to a hash collision or outdated signature.
Filter/Exclusion: Exclude files associated with backup processes by checking the process name (e.g., veeam.exe, acronis.exe) or the file path (e.g., C:\ProgramData\Veeam\, C:\ProgramData\Acronis\).
Scenario: A third-party security tool (e.g., Malwarebytes, Bitdefender, or Norton) is updated, and the Duqu2 sample hash is incorrectly flagged in the Kaspersky database.
Filter/Exclusion: Exclude files that are part of **third-party