The detection identifies potential deployment of a Win32 variant of the Chicken ident malware through both the dropper and the dropped file, indicating possible adversary activity in the environment. SOC teams should proactively hunt for this behavior to detect early-stage malware execution and prevent lateral movement or data exfiltration in Azure Sentinel.
YARA Rule
rule ChickenDOS
{
meta:
author = "Jason Jones <[email protected]>"
description = "Win32-variant of Chicken ident for both dropper and dropped file"
source = "https://github.com/arbor/yara/blob/master/chicken.yara"
strings:
$pdb1 = "\\Chicken\\Release\\svchost.pdb"
$pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
$str2 = "fake.cf"
$str3 = "8.8.8.8"
$str4 = "Processor(%d)\\"
$str5 = "DbProtectSupport"
$str1 = "dm1712/`jvpnpkte/bpl"
$str6 = "InstallService NPF %d"
$str7 = "68961"
$str8 = "InstallService DbProtectSupport %d"
$str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
condition:
($pdb1 or $pdb2) and 5 of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: A system administrator is using Windows Task Scheduler to run a legitimate maintenance script that includes a file with a similar name to a malicious payload.
Filter/Exclusion: Check for the presence of Task Scheduler in the process tree or filter by CommandLine containing schtasks.exe or schtasks /run.
Scenario: A Windows Update or Microsoft Defender ATP scan triggers a false positive due to a file with a similar name to a known malicious payload.
Filter/Exclusion: Filter by ProcessName containing WindowsUpdate.exe or MsMpEng.exe, or check for the presence of Microsoft in the file path.
Scenario: A system backup tool (e.g., Veeam, Acronis, or Microsoft Backup) creates or modifies files that match the signature of a malicious file.
Filter/Exclusion: Filter by ProcessName containing VeeamBackup.exe, Acronis.exe, or wbadmin.exe, or check for the presence of a known backup tool in the process tree.
Scenario: A Windows service (e.g., SQL Server Agent, IIS, or Exchange Server) generates temporary files that have a name similar to a malicious payload.
Filter/Exclusion: Filter by ProcessName containing sqlservr.exe, w3wp.exe, or exchsvr.exe, or check for the presence of a known service in the process tree.
Scenario: A developer or DevOps engineer is using PowerShell to deploy a legitimate application that includes a file with a name resembling a malicious payload.
Filter/Exclusion: Filter by CommandLine containing powershell.exe and check for the presence of a known DevOps tool or script in the command