Adversaries may use specific file paths to execute malicious payloads or evade detection, indicating potential lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that leverage file path manipulation.
YARA Rule
rule Check_FilePaths
{
meta:
Author = "Nick Hoffman"
Description = "Checks for filepaths containing popular sandbox names"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$path1 = "SANDBOX" wide ascii
$path2 = "\\SAMPLE" wide ascii
$path3 = "\\VIRUS" wide ascii
condition:
all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA")
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system update or patching tool (e.g., Windows Update, Microsoft Endpoint Manager) is executing a legitimate file path update.
Filter/Exclusion: Exclude file paths containing WindowsUpdate, MicrosoftUpdate, or System32.
Scenario: A scheduled backup job (e.g., Veeam, Acronis) is accessing or modifying files in a temporary directory.
Filter/Exclusion: Exclude file paths containing Backup, Veeam, Acronis, or Temp.
Scenario: An administrator is performing a disk cleanup or defragmentation task (e.g., Disk Cleanup, DISM, or third-party tools like CCleaner).
Filter/Exclusion: Exclude file paths containing Cleanup, DISM, CCleaner, or Temp.
Scenario: A legitimate application (e.g., SQL Server, IIS, or .NET framework) is writing to log files or temporary directories during normal operation.
Filter/Exclusion: Exclude file paths containing Logs, Temp, AppData, or specific application names like SQLServer or IIS.
Scenario: A user is running a legitimate script or batch file (e.g., PowerShell, Python, or a custom script) that temporarily writes to a working directory.
Filter/Exclusion: Exclude file paths containing Scripts, WorkingDir, or the user’s home directory (e.g., C:\Users\).