Arkei

Hunt Hypothesis

The Arkei rule detects potential adversary behavior involving the use of a custom YARA signature to identify suspicious files that may be associated with unknown or evolving threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats that may not be captured by existing detection rules.

YARA Rule

rule Arkei : Arkei 
{
    meta:
        Author = "Fumik0_" 
        Description = "Arkei Stealer"
        Date = "2018/07/10"
        Hash = "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5"

    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii

    condition:
        all of ($s*)	
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job using Arkei
  Description: A legitimate backup process initiated by Arkei’s scheduled job may trigger the rule due to the presence of the Arkei binary.
  Filter/Exclusion: Check for the presence of a scheduled task or job name containing “backup” or “ArkeiBackup” in the task scheduler logs.

• Scenario: Admin task to configure Arkei settings
  Description: An administrator may run a script or tool to configure Arkei settings, which could be flagged by the YARA rule.
  Filter/Exclusion: Filter events where the process name includes “ArkeiConfig” or “ArkeiSetup” and check for administrative privileges.

• Scenario: Log file parsing using Arkei
  Description: Arkei may be used to parse and analyze log files, which could result in the rule being triggered during normal operation.
  Filter/Exclusion: Exclude processes that access log files in known log directories (e.g., /var/log, C:\Windows\System32\LogFiles) or check for the presence of log parsing tools.

• Scenario: Integration with SIEM tools via Arkei
  Description: Arkei may be integrated with SIEM tools like Splunk or ELK for data ingestion, which could cause the rule to fire during data transfer.
  Filter/Exclusion: Filter processes that communicate with known SIEM endpoints or check for the presence of SIEM integration scripts.

• Scenario: Development environment testing with Arkei
  Description: Developers may use Arkei in a test environment to simulate or analyze network traffic, which could trigger the rule.
  Filter/Exclusion: Exclude processes running in a development or staging environment by checking the hostname, IP range, or environment variables like ENV=dev.