Strings identifying the core REDLEAVES RAT in its deobfuscated state

Hunt Hypothesis

The detection identifies potential REDLEAVES RAT activity by matching known deobfuscated string patterns associated with the malware. SOC teams should proactively hunt for this behavior to detect early-stage compromises and prevent lateral movement within Azure Sentinel environments.

YARA Rule

rule REDLEAVES_CoreImplant_UniqueStrings {
meta:
        description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state"
        author = "USG"
        reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"

strings:
        $unique2 = "RedLeavesSCMDSimulatorMutex" nocase wide ascii
        $unique4 = "red_autumnal_leaves_dllmain.dll" wide ascii
        $unique7 = "\\NamePipe_MoreWindows" wide ascii
condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/alerts/TA17-117A
• Source Rule

False Positive Guidance

• Scenario: Deobfuscation of a Legitimate Script during Incident Response
  Description: A security analyst is manually deobfuscating a suspicious script using tools like strings, xxd, or hexdump as part of an incident response investigation.
  Filter/Exclusion: Exclude processes initiated by the strings command or any deobfuscation tool used by the SOC team during active investigations.

• Scenario: Scheduled Job for Log Analysis Using a Script with Similar String Patterns
  Description: A scheduled job runs a Python or Bash script using tools like grep, awk, or sed to analyze logs, and the script contains strings that match the REDLEAVES RAT pattern.
  Filter/Exclusion: Exclude processes associated with scheduled jobs running under the log_analysis or security_monitoring service account.

• Scenario: System Update or Patching Process with Embedded Strings
  Description: A system update or patching process (e.g., using yum, apt, or msiexec) includes a script or package that contains strings similar to the REDLEAVES RAT signature.
  Filter/Exclusion: Exclude processes related to package managers like yum, apt, or msiexec, and filter by known update or patching tools.

• Scenario: Admin Task Involving String Manipulation in a Scripting Language
  Description: An admin is using a scripting language like PowerShell or Python to manipulate strings as part of a routine admin task (e.g., string replacement in configuration files).
  Filter/Exclusion: Exclude processes initiated by admin users with elevated privileges or scripts that involve string manipulation in known admin tools like PowerShell.exe or python.exe.

• Scenario: Deobfuscation of a Malware Sample in a Sandbox Environment
  Description: A malware sample is