Control64

Hunt Hypothesis

The Control64 rule detects potential adversary behavior involving the execution of suspicious 64-bit payloads, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe attacks.

YARA Rule

rule Control64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using Microsoft Update
  Filter/Exclusion: process.name != "wusa.exe" or process.name != "msu.exe"

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vbm.exe" or process.name != "veeam.exe"

• Scenario: Admin task using PowerShell for log management
  Filter/Exclusion: process.name != "powershell.exe" or process.name != "pwsh.exe" with process.args not containing "log"

• Scenario: Antivirus scan using Bitdefender
  Filter/Exclusion: process.name != "bdagent.exe" or process.name != "bdss.exe"

• Scenario: Database maintenance task using SQL Server Agent
  Filter/Exclusion: process.name != "sqlservr.exe" or process.name != "sqlagent.exe" with process.args not containing "maintenance"