The rule detects potential Regin malware artifacts by identifying suspicious volume file system (VFS) structures that may indicate adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage Regin activity and prevent further compromise.
YARA Rule
rule apt_regin_vfs
{
meta:
copyright = "Kaspersky Lab"
author = "Kaspersky Lab"
description = "Rule to detect Regin VFSes"
version = "1.0"
last_modified = "2014-11-18"
strings:
$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
condition:
($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System backup process using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeambackup.exe" or process.parent.name != "veeambackup.exe"
Scenario: Scheduled system cleanup using Windows Task Scheduler
Filter/Exclusion: process.name != "taskhost.exe" or process.parent.name != "svchost.exe" AND process.parent.name != "taskhost.exe"
Scenario: Regular file system integrity check using DISM
Filter/Exclusion: process.name != "dism.exe" or process.parent.name != "explorer.exe"
Scenario: Admin performing file system analysis with Process Monitor (ProcMon)
Filter/Exclusion: process.name != "procmon.exe" or process.parent.name != "explorer.exe"
Scenario: Automated log rotation using logrotate (Linux environment)
Filter/Exclusion: process.name != "logrotate" OR process.parent.name != "systemd" OR process.parent.name != "init" OR process.parent.name != "sshd" OR process.parent.name != "getty" OR process.parent.name != "login"