Rule to detect Regin's Legspin module

Hunt Hypothesis

The Legspin module of Regin is used to exfiltrate data by establishing a covert communication channel, which may indicate ongoing data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration activities early.

YARA Rule

rule apt_regin_legspin 
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect Regin's Legspin module"
        version = "1.0"
        last_modified = "2015-01-22"
        reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
        md5 = "29105f46e4d33f66fee346cfd099d1cc"

    strings:
        $mz="MZ"
        $a1="sharepw"
        $a2="reglist"
        $a3="logdump"
        $a4="Name:" wide
        $a5="Phys Avail:"
        $a6="cmd.exe" wide
        $a7="ping.exe" wide
        $a8="millisecs"
   
    condition:
        ($mz at 0) and all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: Check for the presence of Veeam in the process name or command line arguments, and filter out processes associated with backup jobs scheduled via the Veeam console.

• Scenario: System update using Microsoft Windows Update (WSUS)
  Filter/Exclusion: Filter processes related to wusa.exe or svchost.exe that are associated with Windows Update services, and exclude any activity occurring during known update windows.

• Scenario: Admin task using PowerShell for system configuration
  Filter/Exclusion: Exclude PowerShell scripts that are signed by a trusted enterprise certificate or originate from known administrative tools like Group Policy Management Console or Server Manager.

• Scenario: Legitimate use of legsp command in a custom internal tool
  Filter/Exclusion: Exclude processes where the command line includes a known internal tool path (e.g., /opt/internal-tools/legsp.sh) and verify the presence of a company-specific signature or hash.

• Scenario: Network discovery using nmap for internal asset inventory
  Filter/Exclusion: Exclude scans initiated by nmap from known security teams or IT departments, and filter based on source IP ranges used for internal network discovery.