The rule detects potential reconnaissance activity where an adversary may be gathering information about the environment through unusual network traffic patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of compromise and prevent lateral movement.
YARA Rule
rule CCTV0 : Family CCTV0 {
meta:
description = "rule for cctv0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
CCTV0Header and SharedStrings
}This YARA rule can be deployed in the following contexts:
Scenario: System backup using rsync or tar
Filter/Exclusion: process.name IN ("rsync", "tar") or check for process.parent.name IN ("systemd", "init") with known backup services.
Scenario: Scheduled log rotation using logrotate
Filter/Exclusion: process.name == "logrotate" or check for process.args CONTAINS "rotate" and process.parent.name == "systemd"
Scenario: Admin performing a disk cleanup via rm or find
Filter/Exclusion: process.name IN ("rm", "find") AND process.args CONTAINS "--no-preserve-root" OR check for process.parent.name == "root" with known cleanup tasks.
Scenario: Automated script running a file scan with clamscan or rkhunter
Filter/Exclusion: process.name IN ("clamscan", "rkhunter") OR check for process.args CONTAINS "--scan" and process.parent.name == "cron"
Scenario: User running a legitimate system update or patch via apt or yum
Filter/Exclusion: process.name IN ("apt", "yum", "dnf") OR check for process.args CONTAINS "upgrade" or "update" with known package managers.