The Bangat rule detects potential lateral movement by identifying unusual process creation events that may indicate an adversary attempting to move within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that could escalate into more severe threats.
YARA Rule
rule Bangat
{
meta:
description = "Bangat"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
BangatCode or BangatStrings
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the source is veeam-backup or where the process name is VeeamBackup.exe
Scenario: Regular Windows Task Scheduler job for log cleanup
Filter/Exclusion: Exclude events where the process name is schtasks.exe or where the command line includes logclean or cleanlog
Scenario: Microsoft SQL Server maintenance plan executing a database integrity check
Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the command line includes DBCC CHECKDB or maintenance plan
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Exclude events where the process name is ansible or where the command line includes --playbook and the playbook name is known and trusted
Scenario: Docker container lifecycle management (e.g., docker-compose or docker run)
Filter/Exclusion: Exclude events where the process name is docker or where the command line includes docker-compose and the service is known to be part of the infrastructure