Anti-Sandbox checks for Anubis

Hunt Hypothesis

Anubis malware may perform anti-sandbox checks to evade detection in isolated environments, indicating potential evasion tactics. SOC teams should proactively hunt for these behaviors in Azure Sentinel to identify and mitigate advanced threats that may bypass traditional detection methods.

YARA Rule

rule antisb_anubis {
    meta:
        author = "x0r"
        description = "Anti-Sandbox checks for Anubis"
	version = "0.1"
    strings:
        $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
        $c1 = "RegQueryValue"
        $s1 = "76487-337-8429955-22614"
        $s2 = "76487-640-1457236-23837"
    condition:
        $p1 and $c1 and 1 of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Integrity Verification via PowerShell
  Description: A system administrator runs a PowerShell script to verify the integrity of system files using Get-AuthenticodeSignature or Test-FileIntegrity.
  Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe and CommandLine containing Get-AuthenticodeSignature or Test-FileIntegrity.

• Scenario: Scheduled Job for Log Analysis
  Description: A scheduled task runs a script to analyze log files for security events, which may involve checking file hashes or digital signatures.
  Filter/Exclusion: Exclude processes with ProcessName equal to schtasks.exe or TaskScheduler and CommandLine containing log analysis or log parsing.

• Scenario: Admin Task for Software Deployment
  Description: An administrator uses Group Policy or a deployment tool like SCCM to push software updates, which may involve checking digital signatures of the deployed packages.
  Filter/Exclusion: Exclude processes with ProcessName equal to gpupdate.exe, microsoft.com, or SCCM and CommandLine containing software deployment or package verification.

• Scenario: File Integrity Monitoring Tool
  Description: A tool like Tripwire or OSSEC checks file hashes and digital signatures to ensure no unauthorized changes to critical system files.
  Filter/Exclusion: Exclude processes with ProcessName equal to tripwire or ossec and CommandLine containing check integrity or file hash verification.

• Scenario: Anti-Virus/Endpoint Protection Scan
  Description: A legitimate endpoint protection solution (e.g., Microsoft Defender, CrowdStrike) performs a full system scan, which may involve checking file signatures and hashes.
  Filter/Exclusion: Exclude processes with ProcessName