From c45f77e706280656f15533aee11621cd83749a8d Mon Sep 17 00:00:00 2001
From: Pyhroff <215876416+Pyhroff@users.noreply.github.com>
Date: Tue, 23 Jun 2026 17:11:53 +0530
Subject: [PATCH] Add APT36/SideCopy detection rules (CrimsonRAT, XenoRAT,
 mshta chain)

Three new experimental rules covering Pakistan-linked APT36/SideCopy TTPs
with no prior Sigma coverage:

1. registry_set_apt36_sidecopy_persistence.yml
   - Detects CrimsonRAT (\Software\CrimsonRAT), ElizaRAT
     (\SYSTEM\ElizaRAT\Persistence), and CapraStart run key writes
   - ATT&CK: T1547.001

2. proc_creation_win_apt_sidecopy_xenorat_schtask.yml
   - Detects schtasks.exe creating the hardcoded XenoUpdateManager task
     used to persist XenoRAT in Operation XENOFISCAL (June 2026)
   - ATT&CK: T1053.005

3. proc_creation_win_apt_sidecopy_mshta_index_php.yml
   - Detects mshta.exe fetching a remote HTA via an index.php endpoint,
     SideCopy signature TTP documented since 2019 across multiple campaigns
   - More specific than the existing generic mshta HTTP rule
   - ATT&CK: T1218.005, T1566.001

References: Seqrite Operation XENOFISCAL (2026-06), Talos InSideCopy,
Hacker News APT36 cross-platform RAT campaigns (2026-02).
---
 ...ation_win_apt_sidecopy_mshta_index_php.yml | 30 +++++++++++++++++++
 ...ation_win_apt_sidecopy_xenorat_schtask.yml | 27 +++++++++++++++++
 ...egistry_set_apt36_sidecopy_persistence.yml | 27 +++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_apt_sidecopy_mshta_index_php.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_apt_sidecopy_xenorat_schtask.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_apt36_sidecopy_persistence.yml

diff --git a/rules/windows/process_creation/proc_creation_win_apt_sidecopy_mshta_index_php.yml b/rules/windows/process_creation/proc_creation_win_apt_sidecopy_mshta_index_php.yml
new file mode 100644
index 00000000000..bea27c451d9
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_apt_sidecopy_mshta_index_php.yml
@@ -0,0 +1,30 @@
+title: SideCopy Mshta.EXE Fetching Remote HTA via index.php Endpoint
+id: 1f650100-d50e-4841-af42-75e5d18e106a
+status: experimental
+description: Detects execution of mshta.exe with a commandline referencing an "index.php" endpoint, which is a signature initial-access TTP used by the SideCopy APT group since at least 2019. The group lures victims with malicious LNK files (often disguised as PDF documents) that invoke mshta.exe to fetch a remote HTML Application (HTA) from a compromised web server via an index.php URL. This pattern is more specific than generic mshta HTTP detection rules and strongly correlates with SideCopy infrastructure.
+references:
+    - https://blog.talosintelligence.com/sidecopy/
+    - https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/
+    - https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html
+    - https://cybersrcc.com/2025/05/02/pakistan-linked-sidecopy-hackers-escalate-indian-cyberattacks-with-curlback-rat-and-spark-rat/
+author: Pyhroff
+date: 2026-06-23
+tags:
+    - attack.initial-access
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1218.005
+    - attack.t1566.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\mshta.exe'
+        - OriginalFileName: 'MSHTA.EXE'
+    selection_cli:
+        CommandLine|contains: 'index.php'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely. Legitimate applications rarely invoke mshta.exe against an index.php endpoint. Internal web applications using PHP are theoretically possible but would be unusual in this context.
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_apt_sidecopy_xenorat_schtask.yml b/rules/windows/process_creation/proc_creation_win_apt_sidecopy_xenorat_schtask.yml
new file mode 100644
index 00000000000..f08d44b71e6
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_apt_sidecopy_xenorat_schtask.yml
@@ -0,0 +1,27 @@
+title: SideCopy XenoRAT Scheduled Task Persistence
+id: 996bc437-e877-4cfb-8824-1273b02663b1
+status: experimental
+description: Detects creation of the scheduled task named "XenoUpdateManager", which is used by the SideCopy APT group (Pakistan-linked) to persist XenoRAT on compromised hosts. The task name is a hardcoded artifact confirmed across multiple SideCopy campaigns targeting Afghan and Indian government networks in 2025-2026.
+references:
+    - https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
+    - https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html
+    - https://socprime.com/active-threats/operation-xenofiscal-sidecopy-deploys-persistent-xenorat-against-afghanistans-ministry-of-finance/
+author: Pyhroff
+date: 2026-06-23
+tags:
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_task:
+        CommandLine|contains: 'XenoUpdateManager'
+    condition: all of selection_*
+falsepositives:
+    - No legitimate software is known to create a scheduled task named XenoUpdateManager.
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_apt36_sidecopy_persistence.yml b/rules/windows/registry/registry_set/registry_set_apt36_sidecopy_persistence.yml
new file mode 100644
index 00000000000..db79a6161f1
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_apt36_sidecopy_persistence.yml
@@ -0,0 +1,27 @@
+title: APT36/SideCopy CrimsonRAT and ElizaRAT Registry Persistence
+id: 727bc0c1-da26-4d46-a4bf-aff11117a949
+status: experimental
+description: Detects registry modifications associated with APT36 (Transparent Tribe) and SideCopy persistence mechanisms. CrimsonRAT stores configuration under HKCU\Software\CrimsonRAT, ElizaRAT uses HKLM\SYSTEM\ElizaRAT\Persistence, and the CapraStart run key ensures autostart on logon. These are signature artifacts of Pakistan-linked campaigns targeting Indian and Afghan government entities.
+references:
+    - https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
+    - https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html
+    - https://freemindtronic.com/apt36-cyberespionage-group-technical-reference-guide-v1-1/
+    - https://arxiv.org/html/2510.04118v1
+author: Pyhroff
+date: 2026-06-23
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains:
+            - '\Software\CrimsonRAT'
+            - '\SYSTEM\ElizaRAT\Persistence'
+            - '\CurrentVersion\Run\CapraStart'
+    condition: selection
+falsepositives:
+    - Unlikely. These registry paths are not used by any known legitimate software.
+level: high