Generic Rule to detect the CredStealer Malware

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential CredStealer malware activity by monitoring for suspicious credential extraction behaviors commonly associated with this threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage credential theft attempts before significant damage occurs.

YARA Rule

rule CredStealESY : For CredStealer
{
 meta:
description = "Generic Rule to detect the CredStealer Malware"
author = "IsecG – McAfee Labs"
date = "2015/05/08"
strings:
$my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide //malware trying to get keyboard layout
$my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} //specific decryption module
 condition:
$my_hex_string and $my_hex_string2
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that temporarily accesses credentials for system maintenance.
  Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"

• Scenario: Admin Performing Credential Dump for Forensic Analysis
  Description: An administrator uses a tool like mimikatz to dump credentials for forensic investigation.
  Filter/Exclusion: process.name == "mimikatz.exe" or user.account_name contains "admin"

• Scenario: Automated Backup Job Accessing Credentials
  Description: A backup tool like Veeam or Commvault accesses credentials during a scheduled backup process.
  Filter/Exclusion: process.name contains "veeam" or process.name contains "commvault"

• Scenario: PowerShell Script for User Account Management
  Description: A PowerShell script run by an admin to manage user accounts, which may temporarily access credential stores.
  Filter/Exclusion: process.name == "powershell.exe" and user.account_name contains "admin"

• Scenario: Logon Script Execution
  Description: A logon script runs on user login and accesses credentials as part of authentication or configuration.
  Filter/Exclusion: process.name contains "logonscript" or event_id == 4624 (successful logon)