Adversaries may use Regin 64-bit stage 1 loaders to establish initial persistence and execute malicious payloads within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and prevent further lateral movement and data exfiltration.
YARA Rule
rule apt_regin_2013_64bit_stage1
{
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 64 bit stage 1 loaders"
version = "1.0"
last_modified = "2014-11-18"
filename="wshnetc.dll"
md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
filename="wsharp.dll"
md5="c053a0a3f1edcbbfc9b51bc640e808ce"
strings:
$mz="MZ"
$a1="PRIVHEAD"
$a2="\\\\.\\PhysicalDrive%d"
$a3="ZwDeviceIoControlFile"
condition:
($mz at 0) and (all of ($a*)) and filesize < 100000
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate system update using Microsoft Update
Filter/Exclusion: Check for ProcessName = "wusa.exe" and CommandLine contains "Microsoft Update" or FileVersionInfo = "Microsoft Windows Update"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by ProcessName = "vmbackup.exe" and CommandLine contains "Veeam" or check for ProcessParent = "services.exe" with known backup service names
Scenario: Admin task running PowerShell for system configuration
Filter/Exclusion: Filter by ProcessName = "powershell.exe" and CommandLine contains "Set-ExecutionPolicy" or Start-Process with known administrative scripts
Scenario: Legitimate use of regsvr32.exe to register a COM component
Filter/Exclusion: Check for ProcessName = "regsvr32.exe" and CommandLine contains "regsvr32.exe /s" or FileVersionInfo = "Microsoft Windows"
Scenario: Antivirus scan using Bitdefender with custom scan
Filter/Exclusion: Filter by ProcessName = "bdagent.exe" or ProcessName = "bdscan.exe" and check for CommandLine contains "scan" or FileVersionInfo = "Bitdefender"