The detection rule identifies potential lateral movement by an adversary using a 5-character code associated with LURK0, indicating possible unauthorized access or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent further network infiltration.
YARA Rule
rule CCTV0Header : Family CCTV0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to run a scheduled job that generates a 5-character code as part of a logging or auditing process.
Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine contains "scheduledjob" or CommandLine contains "log".
Scenario: A Windows Task Scheduler job is configured to execute a script that outputs a 5-character code as part of a routine health check.
Filter/Exclusion: Filter by ProcessName == "schtasks.exe" or CommandLine contains "schtasks" and check for known legitimate health-check scripts.
Scenario: A Cisco ASA firewall generates a 5-character code during a routine IKEv2 tunnel negotiation as part of its logging mechanism.
Filter/Exclusion: Check for SourceIP in Cisco ASA internal IP range and DestinationPort == 500 or DestinationPort == 4500.
Scenario: A Docker container running a legitimate application generates a 5-character code as part of its internal versioning or build ID.
Filter/Exclusion: Filter by ImageName contains "docker" or ProcessName contains "docker" and check for known containerized applications.
Scenario: A Microsoft SQL Server backup job generates a 5-character code as part of its job ID or session identifier.
Filter/Exclusion: Filter by ProcessName == "sqlservr.exe" and check for CommandLine contains "BACKUP" or CommandLine contains "job" in the SQL Server context.