CommentCrew-threat-apt1

Hunt Hypothesis

CommentCrew-threat-apt1 detects potential adversary behavior involving the use of comment-based PowerShell scripts to execute malicious commands, which may indicate a low-severity, stealthy attack technique. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging script-based persistence and command execution.

YARA Rule

rule APT1_TARSIP_MOON
{

    meta:
        author = "AlienVault Labs"
        info = "CommentCrew-threat-apt1"
        
    strings:
        $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
        $s2 = "URL download success!" wide ascii
        $s3 = "Kugoosoft" wide ascii
        $msg1 = "Modify file failed!! So strange!" wide ascii
        $msg2 = "Create cmd process failed!" wide ascii
        $msg3 = "The command has not been implemented!" wide ascii
        $msg4 = "Runas success!" wide ascii
        $onec1 = "onec.php" wide ascii
        $onec2 = "/bin/onec" wide ascii

    condition:
        1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: process.name != "VeeamBackup.exe" or check for process.parent.name == "vmtoolsd.exe" or process.parent.name == "vmware-hostd.exe"

• Scenario: Admin performing Windows Update or Group Policy deployment
  Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "gupdate.exe" or check for process.parent.name == "services.exe"

• Scenario: Running PowerShell scripts for routine system maintenance or configuration management
  Filter/Exclusion: process.name != "powershell.exe" or check for process.parent.name == "taskeng.exe" or use script.block to exclude known maintenance scripts

• Scenario: SQL Server Agent Jobs executing maintenance tasks like index rebuilds or backups
  Filter/Exclusion: process.name != "sqlservr.exe" or check for process.parent.name == "sqlagent.exe" or use process.command_line to exclude known maintenance commands

• Scenario: Ansible or Chef automation tasks running scheduled configuration updates
  Filter/Exclusion: process.name != "ansible.exe" or process.name != "chef-client.exe" or check for process.parent.name == "taskeng.exe" or use script.block to exclude known automation scripts