DES [pbox] [long] | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using a long-running process to establish persistence or exfiltrate data through a compromised Azure virtual machine. SOC teams should proactively hunt for this behavior to identify potential long-term access or data leakage threats in their environment.

YARA Rule

rule DES_pbox_long
{	meta:
		author = "_pusher_"
		date = "2015-05"
		description = "DES [pbox] [long]"
	strings:
		$c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm" OR process.name != "vpxa"
Rationale: Veeam may trigger the rule during backup operations, but excluding known Veeam processes can reduce false positives.
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "gupdate.exe"
Rationale: These processes are common during system maintenance and may trigger the rule due to their network activity.
Scenario: Docker container or Kubernetes pod lifecycle management (e.g., docker or k8s related processes)
Filter/Exclusion: process.name != "docker" AND process.name != "kubelet"
Rationale: Container orchestration tools often exhibit similar behavior to malicious activity, leading to false positives.
Scenario: Log management tool such as Splunk or ELK Stack performing data ingestion
Filter/Exclusion: process.name != "splunkd" AND process.name != "logstash"
Rationale: These tools frequently interact with network services and may trigger the rule during data collection.
Scenario: Database backup or replication using MySQL or PostgreSQL
Filter/Exclusion: process.name != "mysqld" AND process.name != "pg_dump"
Rationale: Database tools often perform network operations that may be flagged by the rule during routine maintenance tasks.