Boouset code tricks

Hunt Hypothesis

Adversaries may use obfuscated code tricks to evade detection and execute malicious payloads in Azure environments. SOC teams should proactively hunt for these patterns to identify potential stealthy execution techniques that bypass traditional detection mechanisms.

YARA Rule

rule BoousetCode
{
    
    meta:
        description = "Boouset code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-19"
        
    strings:
        $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
        
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a software update.
  Filter/Exclusion: Check for the presence of PowerShell in the process name or command line, and exclude processes initiated by the administrator’s user account or scheduled tasks with known update scripts.

• Scenario: A database administrator is running a scheduled job to back up SQL Server using SQL Server Agent or T-SQL scripts.
  Filter/Exclusion: Exclude processes associated with sqlservr.exe or tasks scheduled under SQL Server Agent, and filter out known backup scripts or commands like BACKUP DATABASE.

• Scenario: A DevOps engineer is using Ansible to deploy configuration changes across multiple servers.
  Filter/Exclusion: Exclude processes initiated by the ansible command or any process running under the ansible user account, and filter out known Ansible playbook execution patterns.

• Scenario: A developer is using Python to run a script that interacts with a local API for testing purposes.
  Filter/Exclusion: Exclude processes with python in the command line and filter out scripts that are known to be part of a development or testing environment (e.g., pytest, unittest, or mock).

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate maintenance script.
  Filter/Exclusion: Exclude tasks scheduled via Task Scheduler and filter out scripts that are known to be part of standard maintenance routines (e.g., log rotation, disk cleanup, or service restarts).