Generic signature for Hacktool.Atmos.Builder cracked version

Hunt Hypothesis

The hypothesis is that the detection identifies potential use of a cracked version of the Hacktool.Atmos.Builder, which may indicate an adversary leveraging compromised or unauthorized tools to execute malicious activities within the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate the risk of adversaries using unauthorized tools to establish persistence or execute payloads.

YARA Rule

rule Atmos_Builder
{
    
    meta:
        description = "Generic signature for Hacktool.Atmos.Builder cracked version"
        author = "[email protected]"
        reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
        date = "20/08/2016"
        // May only the challenge guide you

    strings:
        // Check for the presence of MZ, kutuzov license identifier, and good hardware ID
        $MZ = {4D 5A}
        $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
        $HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii

        // Builder strings identifiers
        $s1 = "url_loader=%S" wide ascii
        $s2 = "url_webinjects=%S" wide ascii
        $s3 = "url_tokenspy=%S" wide ascii
        $s4 = "file_webinjects=%S" wide ascii
        $s5 = "moneyparser.enabled=%u" wide ascii
        $s6 = "enable_luhn10_post=%u" wide ascii
        $s7 = "insidevm_enable=%u" wide ascii
        $s8 = "disable_antivirus=%u" wide ascii
        
    condition:
        $MZ at 0 and $LKEY and $HWID and all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• http://www.xylibox.com/2016/02/citadel-0011-atmos.html
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate script that includes the string “Atmos.Builder” for logging or debugging purposes.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks scheduled under the Task Scheduler service.

• Scenario: A developer is using Visual Studio or PowerShell to debug or test a script that includes the string “Atmos.Builder” as part of a placeholder or mock function.
  Filter/Exclusion: Exclude processes running under the Visual Studio process (devenv.exe) or PowerShell (powershell.exe) with a known development user context.

• Scenario: A Windows Update or Group Policy deployment includes a script or configuration that contains the string “Atmos.Builder” as part of a legacy or outdated configuration.
  Filter/Exclusion: Exclude processes initiated by Windows Update (wuauserv) or Group Policy Client (gpsvc) services.

• Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault includes a script or log file that contains the string “Atmos.Builder” due to a misconfigured template or placeholder text.
  Filter/Exclusion: Exclude processes associated with Veeam (veeam.exe) or Commvault (cvp.exe) during backup operations.

• Scenario: A system monitoring tool like Splunk or ELK Stack is configured to parse logs that include the string “Atmos.Builder” as part of a custom log format or field.
  Filter/Exclusion: Exclude processes running Splunk (splunkd.exe) or ELK Stack components (java or logstash) during log parsing activities.