BigDig mpModInv | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be enumerating module inventory to identify potential targets or assess system configurations within the environment. SOC teams should proactively hunt for this behavior to detect early-stage reconnaissance activities that could lead to more sophisticated attacks.

YARA Rule

rule BigDig_mpModInv
{	meta:
		author = "Maxx"
		description = "BigDig mpModInv"
	strings:
		$c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs to update or maintain the mpModInv module, which is part of the BigDig system.
Filter/Exclusion: process.name != "mpModInv" OR process.parent.name != "scheduling-service"
Scenario: Administrative Task - Module Inventory Update
Description: An admin manually triggers an inventory update for the mpModInv module as part of routine system maintenance.
Filter/Exclusion: user.name != "admin" OR process.command_line contains "manual-update"
Scenario: Third-Party Integration Tool Execution
Description: A third-party integration tool (e.g., Ansible, Puppet, or Chef) executes a script that interacts with the mpModInv module during configuration management.
Filter/Exclusion: process.name contains "ansible" OR process.name contains "puppet"
Scenario: Log Rotation or Archive Process
Description: A log rotation tool (e.g., logrotate) or archive process accesses the mpModInv module as part of its operation.
Filter/Exclusion: process.name contains "logrotate" OR process.name contains "archive"
Scenario: Automated Compliance Scan
Description: A compliance tool (e.g., OpenSCAP, Qualys, or Nessus) runs a scan that interacts with the mpModInv module during a security assessment.
Filter/Exclusion: process.name contains "openscap" OR process.name contains "nessus"