The BigDig spModInv rule detects potential adversary behavior involving the manipulation of module inventory to evade detection or maintain persistence within a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may leverage module tampering to persist undetected.
YARA Rule
rule BigDig_spModInv
{ meta:
author = "Maxx"
description = "BigDig spModInv"
strings:
$c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance using PowerShell to update module inventory
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Update-Module%'
Scenario: Windows Update or Group Policy refresh triggering module inventory checks
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "gupdate.exe"
Scenario: System Center Configuration Manager (SCCM) performing a software inventory sweep
Filter/Exclusion: process.name != "ccmexec.exe" OR process.args NOT LIKE '%software inventory%'
Scenario: Ansible or Chef running a module inventory update as part of a configuration management task
Filter/Exclusion: process.name NOT IN ("ansible", "chef-client") OR process.args NOT LIKE '%inventory%'
Scenario: Docker or Kubernetes node inventory update during cluster maintenance
Filter/Exclusion: process.name NOT IN ("docker", "kubelet") OR process.args NOT LIKE '%inventory%'