The Control32 rule detects potential adversary behavior involving the execution of suspicious 32-bit control mechanisms that may be used to manipulate or bypass system restrictions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises that may evade traditional detection methods.
YARA Rule
rule Control32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system update via Windows Update
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "svchost.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "veeam.exe" or process.name != "vmbackup.exe"
Scenario: Admin task to configure group policy via gpupdate
Filter/Exclusion: process.name != "gpupdate.exe" or process.name != "services.exe"
Scenario: Antivirus scan using Bitdefender
Filter/Exclusion: process.name != "bdagent.exe" or process.name != "bdtray.exe"
Scenario: Log management tool (e.g., Splunk) collecting logs
Filter/Exclusion: process.name != "splunkd.exe" or process.name != "splunkforwarder.exe"