DNS backdoor used by APT15

Hunt Hypothesis

Adversaries may use a DNS backdoor to exfiltrate data and maintain persistent access, leveraging the APT15 group’s known tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence and data exfiltration activities early.

YARA Rule

rule malware_apt15_royaldll_2	{
	meta:
		author	=	"Ahmed Zaki"
		sha256	=	"bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
		description	=	"DNS backdoor used by APT15"
		reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
	strings:
		    $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii 
		    $= "netsvcs" wide ascii fullword
		    $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
		    $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
		    $= "myWObject" wide ascii 
	condition:
		uint16(0) == 0x5A4D and all of them
		and pe.exports("ServiceMain")
		and filesize > 50KB and filesize < 600KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
• Source Rule

False Positive Guidance

• Scenario: Legitimate DNS-based scheduled job
  Description: A system administrator schedules a recurring DNS query to check for domain availability or perform DNS-based monitoring.
  Filter/Exclusion: Exclude DNS queries originating from known administrative tools like nslookup, dig, or scheduled tasks with known benign domains (e.g., nslookup.example.com).

• Scenario: DNS resolution for internal service discovery
  Description: A service within the enterprise uses DNS to resolve internal service names (e.g., service-db.internal), which may trigger the rule due to unusual query patterns.
  Filter/Exclusion: Exclude DNS queries to internal domains (e.g., *.internal, *.local) or those originating from known internal services (e.g., kubernetes.default.svc.cluster.local).

• Scenario: DNS-based backup or sync tool
  Description: A backup tool like rsync or scp uses DNS to resolve hostnames for cross-site synchronization.
  Filter/Exclusion: Exclude DNS queries associated with backup tools (e.g., rsync.example.com, backup-server.example.com) or those originating from known backup processes.

• Scenario: DNS-based update for enterprise software
  Description: A legitimate enterprise software update process uses DNS to fetch update metadata or patches.
  Filter/Exclusion: Exclude DNS queries to known update servers (e.g., update.example.com, patch.example.com) or those associated with enterprise software (e.g., java.update.example.com).

• Scenario: DNS-based monitoring tool (e.g., Nagios, Zabbix)
  Description: A monitoring tool like Nagios or Zabbix uses DNS to check the availability of internal services.
  Filter/Exclusion: Exclude DNS queries to known monitoring domains (e.g., nagios.example.com, `zabbix.example