The BigDig mpModMult rule detects potential obfuscation or code modification techniques used by adversaries to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be manipulating or hiding their malicious payloads.
YARA Rule
rule BigDig_mpModMult
{ meta:
author = "Maxx"
description = "BigDig mpModMult"
strings:
$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to run a disk cleanup or defragmentation tool
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.name == "defrag.exe"
Scenario: Admin performing a database backup using SQL Server Backup Utility
Filter/Exclusion: process.name == "sqlbackup.exe" or process.parent_process_name == "sqlservr.exe"
Scenario: IT team executing a script for log rotation using logrotate on Linux servers
Filter/Exclusion: process.name == "logrotate" or process.parent_process_name == "cron"
Scenario: User running a legitimate third-party application like 7-Zip for file compression
Filter/Exclusion: process.name == "7z.exe" or process.parent_process_name == "explorer.exe"
Scenario: System running a legitimate security tool like Malwarebytes for malware scanning
Filter/Exclusion: process.name == "mbam.exe" or process.parent_process_name == "services.exe"