Kaspersky APT Report - Duqu2 Sample - Generic Rule

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Duqu2 APT activity through suspicious file behavior indicative of malware execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversarial activity and prevent potential data exfiltration or system compromise.

YARA Rule

rule Duqu2_Generic1 
{

    meta:
		description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
		author = "Florian Roth"
		reference = "https://goo.gl/7yKyOj"
		date = "2015-06-10"
		super_rule = 1
		hash0 = "3f9168facb13429105a749d35569d1e91465d313"
		hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc"
		hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde"
		hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172"
		hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52"
		hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415"
		hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467"
		hash7 = "32f8689fd18c723339414618817edec6239b18f3"
		hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672"
		hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13"
		hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8"
		hash11 = "dfe1cb775719b529138e054e7246717304db00b1"
	
    strings:
		$s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" fullword wide
		$s1 = "SetSecurityDescriptorSacl" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 189 times */
		$s2 = "msisvc_32@" fullword wide
		$s3 = "CompareStringA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1392 times */
		$s4 = "GetCommandLineW" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1680 times */
	
    condition:
		uint16(0) == 0x5a4d and filesize < 150KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://goo.gl/7yKyOj
• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: Exclude files with file_name containing Veeam or backup in the detection logic.

• Scenario: Regular Windows Task Scheduler job running a legitimate script for log rotation
  Filter/Exclusion: Exclude processes with process_name matching schtasks.exe or logrotate.exe.

• Scenario: Kaspersky Endpoint Security performing a scheduled full system scan
  Filter/Exclusion: Exclude processes with process_name containing kav or kaspersky.

• Scenario: Microsoft System Center Configuration Manager (SCCM) deploying software updates
  Filter/Exclusion: Exclude files with file_name containing sms or update and filter by process_name like ccmexec.exe.

• Scenario: Docker container running a legitimate application with known Duqu2-like file names (e.g., duqu2.exe)
  Filter/Exclusion: Exclude files with process_name containing docker or container and check for file_path in /var/lib/docker/.