Identify Backoff

Hunt Hypothesis

The detection rule identifies potential adversary behavior where an attacker is using backoff techniques to evade detection by delaying or spacing out their malicious activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy, persistent threats that may otherwise go undetected through traditional monitoring.

YARA Rule

rule backoff 
{

    meta:
        author = "Brian Wallace @botnet_hunter"
        author_email = "[email protected]"
        date = "2014-08-21"
        description = "Identify Backoff"

    strings:
        $s1 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s"
        $s2 = "%s @ %s"
        $s3 = "Upload KeyLogs"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled job (e.g., systemd or crontab) is running a maintenance task that temporarily increases system load.
  Filter/Exclusion: Check for process.name containing “systemd”, “crontab”, or “maintenance” and exclude based on process.parent or user.name (e.g., root or sysadmin).

• Scenario: Log Rotation or Archive Task
  Description: A log rotation tool like logrotate or a script that archives logs is generating high disk I/O, triggering the “Identify Backoff” rule.
  Filter/Exclusion: Use process.name matching “logrotate” or “archive” and exclude based on process.command_line containing log file paths.

• Scenario: Database Backup Job
  Description: A database backup tool (e.g., mysqldump, pg_dump, or Veeam) is performing a backup, which temporarily increases system resource usage.
  Filter/Exclusion: Filter by process.name matching the backup tool name and check for process.parent related to the backup scheduler (e.g., cron or systemd).

• Scenario: Security Tool Scan
  Description: A security tool like ClamAV, Maltego, or Nessus is scanning the system, causing temporary spikes in CPU or memory usage.
  Filter/Exclusion: Use process.name matching the security tool name and exclude based on process.parent or user.name (e.g., security or admin).

• Scenario: Admin Task or Script Execution
  Description: An administrator is running a script or task (e.g., Ansible, Chef, or `P