BigDig spModExpB | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential lateral movement or credential dumping activity by adversaries exploiting compromised service principal modules in Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage attacks that could lead to deeper network compromise.

YARA Rule

rule BigDig_spModExpB
{	meta:
		author = "Maxx"
		description = "BigDig spModExpB"
	strings:
		$c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm" OR process.name != "vagent"
Rationale: Veeam components may trigger the rule during backup operations, which are legitimate.
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: process.name != "wuauserv" AND process.name != "gupdate.svc"
Rationale: These services are part of normal system maintenance and may be flagged by the rule.
Scenario: SQL Server Agent job executing maintenance tasks (e.g., index rebuilds)
Filter/Exclusion: process.name != "sqlservr.exe" OR process.name != "sqlagent.exe"
Rationale: SQL Server maintenance tasks can trigger similar behavior to malicious activity.
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: process.name != "ansible" OR process.name != "ansible-playbook"
Rationale: Ansible is commonly used for automation and may trigger the rule during configuration changes.
Scenario: Docker container orchestration or image pull via Docker Engine
Filter/Exclusion: process.name != "docker" OR process.name != "dockerd"
Rationale: Docker operations, such as pulling images or managing containers, can resemble suspicious behavior.