The BigDig bpInit rule detects potential initial access by adversaries leveraging compromised credentials or misconfigured services to establish a foothold in the environment. SOC teams should proactively hunt for this behavior to identify early-stage compromise and prevent lateral movement in their Azure Sentinel environment.
YARA Rule
rule BigDig_bpInit
{ meta:
author = "Maxx"
description = "BigDig bpInit"
strings:
$c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or patch installation using Microsoft Update or WSUS
Filter/Exclusion: Check for EventID 6008 (Event Log service stopped) or EventID 6006 (Event Log service started) in conjunction with known patching schedules. Exclude processes associated with wuauclt.exe or svchost.exe during scheduled update times.
Scenario: SQL Server Agent Job execution triggering bpInit during routine maintenance
Filter/Exclusion: Filter by process name sqlagent.exe or sqlservr.exe and check for job names in the msdb database. Exclude events that occur during scheduled maintenance windows.
Scenario: Windows Task Scheduler running a legitimate script or batch file that initializes memory
Filter/Exclusion: Filter by Task Scheduler process (schtasks.exe) and check for known legitimate scripts. Exclude events that match known scheduled task names or paths in the Task Scheduler library.
Scenario: VMware Tools or Hyper-V Integration Services initializing memory during VM boot
Filter/Exclusion: Filter by process name vmtoolsd.exe or vmms.exe and check for VM-related event logs. Exclude events that occur during VM startup or when VMware/Hyper-V services are initialized.
Scenario: Antivirus or Endpoint Protection scanning or memory initialization during a full system scan
Filter/Exclusion: Filter by process names like mpsvc.exe, mpcmdrun.exe, or avgnt.exe and check for scan-related event logs. Exclude events that occur during scheduled full system scans or memory integrity checks.