The presence of specific HTML strings in network traffic or logs may indicate the use of Agent Tesla malware for exfiltrating data through web-based communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and mitigate the impact of advanced persistent threats.
YARA Rule
rule Agenttesla
{
meta:
description = "Detecting HTML strings used by Agent Tesla malware"
author = "Stormshield"
reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/"
version = "1.0"
strings:
$html_username = "<br>UserName : " wide ascii
$html_pc_name = "<br>PC Name : " wide ascii
$html_os_name = "<br>OS Full Name : " wide ascii
$html_os_platform = "<br>OS Platform : " wide ascii
$html_clipboard = "<br><span style=font-style:normal;text-decoration:none;text-transform:none;color:#FF0000;><strong>[clipboard]</strong></span>" wide ascii
condition:
3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Web Server Logs from Legitimate HTML Forms
Description: Legitimate web applications may include HTML form elements in their logs, which could trigger the rule due to the presence of HTML strings.
Filter/Exclusion: Exclude traffic from known web servers (e.g., Apache, Nginx) or filter by HTTP methods like GET or POST that are associated with form submissions.
Scenario: Scheduled Job Generating HTML Reports
Description: A scheduled job (e.g., using cron or Windows Task Scheduler) may generate HTML-based reports, which could contain HTML strings that match the detection logic.
Filter/Exclusion: Exclude processes or users associated with report generation tools (e.g., reporting_tool.exe, cron jobs with known report names).
Scenario: Admin Task Using HTML for Configuration
Description: System administrators may use HTML for configuration files or documentation, which could be flagged by the rule.
Filter/Exclusion: Exclude files or processes associated with admin tasks (e.g., sysadmin_tool.exe, config_generator.sh) or filter by file paths in known admin directories.
Scenario: Email Client Rendering HTML Content
Description: Email clients (e.g., Microsoft Outlook, Thunderbird) may render HTML content in emails, which could trigger the rule due to embedded HTML strings.
Filter/Exclusion: Exclude email-related processes (e.g., outlook.exe, thunderbird.exe) or filter by email protocols (e.g., SMTP, IMAP).
Scenario: DevOps Pipeline Generating HTML Artifacts
Description: CI/CD pipelines (e.g., Jenkins, GitLab CI) may generate HTML artifacts or documentation during builds, which could be flagged by the rule.
Filter/Exclusion: Exclude processes related to CI/CD