The Batel backdoor detection rule identifies potential adversary persistence by monitoring for suspicious process creation or execution patterns that may indicate a compromised or stealthy backdoor mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversarial activity that could lead to long-term system compromise.
YARA Rule
rule Batel_export_function
{
meta:
author = "@j0sm1"
date = "2016/10/15"
description = "Batel backdoor"
reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-091923-4146-99"
filetype = "binary"
condition:
pe.exports("run_shell") and pe.imports("kernel32.dll","GetTickCount") and pe.imports("kernel32.dll","IsDebuggerPresent") and pe.imports("msvcr100.dll","_crt_debugger_hook") and pe.imports("kernel32.dll","TerminateProcess") and pe.imports("kernel32.dll","UnhandledExceptionFilter")
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system maintenance using schtasks.exe
Filter/Exclusion: process.parent_process_name == "schtasks.exe" and process.command_line contains " /create"
Scenario: Legitimate administrative task using taskmgr.exe to manage processes
Filter/Exclusion: process.parent_process_name == "taskmgr.exe" and process.command_line contains "/m"
Scenario: Automated backup job using robocopy.exe
Filter/Exclusion: process.name == "robocopy.exe" and process.command_line contains "/z /r:3"
Scenario: Software update deployment using msiexec.exe
Filter/Exclusion: process.name == "msiexec.exe" and process.command_line contains "/i"
Scenario: System log analysis using eventvwr.exe
Filter/Exclusion: process.name == "eventvwr.exe" and process.command_line contains "/s"