The backdoor registers an auto-start service with a misleading display name to ensure persistence across reboots. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert persistence mechanisms used by adversaries to maintain long-term access to compromised systems.
YARA Rule
rule Backdoor_Jolob
{
meta:
maltype = "Backdoor.Jolob"
ref = "https://github.com/reed1713"
reference = "http://www.symantec.com/connect/blogs/new-flash-zero-day-linked-yet-more-watering-hole-attacks"
description = "the backdoor registers an auto start service with the display name \"Network Access Management Agent\" pointing to the dll netfilter.dll. This is accomplished without notifying the user via the sysprep UAC bypass method."
strings:
$type = "Microsoft-Windows-Security-Auditing"
$eventid = "4673"
$data1 = "Security"
$data2 = "SeCreateGlobalPrivilege"
$data3 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
$type1 = "Microsoft-Windows-Security-Auditing"
$eventid1 = "4688"
$data4 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
$type2 = "Service Control Manager"
$eventid2 = "7036"
$data5 = "Network Access Management Agent"
$data6 = "running"
$type3 = "Service Control Manager"
$eventid3 = "7045"
$data7 = "Network Access Management Agent"
$data8 = "user mode service"
$data9 = "auto start"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: A system administrator uses Task Scheduler to create a scheduled job that starts a legitimate service at boot.
Filter/Exclusion: Check the TaskName or CommandLine fields for known legitimate task names (e.g., DailyBackupTask, SystemUpdateScheduler).
Scenario: A third-party application (e.g., Microsoft SQL Server) registers an auto-start service with a display name that matches the rule’s pattern.
Filter/Exclusion: Include a filter for service names containing SQL or MSSQL to exclude legitimate database services.
Scenario: A system update or patching tool (e.g., Windows Update or Chocolatey) creates a temporary auto-start service during installation.
Filter/Exclusion: Filter by ServiceName or DisplayName containing Update, Patch, or Chocolatey.
Scenario: A legitimate monitoring tool (e.g., Nagios or Zabbix) registers an auto-start service to ensure continuous monitoring.
Filter/Exclusion: Use a filter for service names containing Monitor, Nagios, or Zabbix to exclude monitoring services.
Scenario: An admin manually creates a service using sc.exe or services.msc for a legitimate application (e.g., Java Runtime Environment).
Filter/Exclusion: Filter by ServiceName or DisplayName containing Java, JRE, or Oracle.