The hypothesis is that the detection identifies potential Codoso APT activity involving the PGV PVID malware, which is associated with advanced persistent threats and may indicate lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to broader network infiltration.
YARA Rule
rule Codoso_PGV_PVID_3
{
meta:
description = "Detects Codoso APT PGV PVID Malware"
author = "Florian Roth"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1"
hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
strings:
$x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide
condition:
$x1
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate scheduled job running PowerShell scripts
Description: A scheduled task runs a PowerShell script as part of routine system maintenance or configuration management.
Filter/Exclusion: Exclude processes associated with known task schedulers (e.g., schtasks.exe, Task Scheduler), or filter by process names like powershell.exe with specific command-line arguments related to known legitimate scripts.
Scenario: Admin performing system cleanup using PowerShell
Description: An administrator uses PowerShell to clean up temporary files or logs as part of standard maintenance procedures.
Filter/Exclusion: Exclude processes initiated by admin accounts with known cleanup scripts or use a filter based on the user context (e.g., User = Administrator or User = SYSTEM).
Scenario: Deployment of legitimate software via Group Policy
Description: A Group Policy Object (GPO) is used to deploy software updates or configuration changes across the network.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or gpolusr.exe, or filter by the presence of known GPO-related command-line arguments.
Scenario: Use of PowerShell for log analysis by security tools
Description: A security information and event management (SIEM) tool or log analysis script runs PowerShell to parse and analyze system logs.
Filter/Exclusion: Exclude processes with command-line arguments containing log analysis keywords (e.g., -InputObject, -Path, or -File with log file paths).
Scenario: Use of PowerShell for system monitoring by IT operations
Description: IT operations use PowerShell scripts to monitor system performance, disk usage, or service status.
Filter/Exclusion: Exclude processes with known monitoring script paths or command-line arguments related to monitoring tools (e.g., perfmon, wmi, or Get-Counter).