Identify DiamondFox

Hunt Hypothesis

DiamondFox is a threat actor known for using custom malware and lateral movement techniques, so detecting its indicators in Azure Sentinel helps identify potential compromise. SOC teams should proactively hunt for DiamondFox activity to detect early-stage threats and prevent lateral movement within the network.

YARA Rule

rule diamond_fox
{
   
    meta:
        author = "Brian Wallace @botnet_hunter"
        author_email = "[email protected]"
        date = "2015-08-22"
        description = "Identify DiamondFox"
   
    strings:
        $s1 = "UPDATE_B"
        $s2 = "UNISTALL_B"
        $s3 = "S_PROTECT"
        $s4 = "P_WALLET"
        $s5 = "GR_COMMAND"
        $s6 = "FTPUPLOAD"
   
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs DiamondFox as part of a system cleanup or update process.
  Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with a known maintenance task name (e.g., CleanupTask.exe or UpdateService.exe).

• Scenario: Admin Performing Disk Cleanup
  Description: An administrator uses a tool like Disk Cleanup or CCleaner that may invoke similar process names or behaviors.
  Filter/Exclusion: Exclude processes running under a known admin account (e.g., Administrator) or with a specific command-line argument related to disk cleanup (e.g., /clean or /delete).

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool (e.g., Bitdefender, Kaspersky) or endpoint protection software may temporarily use a process name similar to DiamondFox during a scan.
  Filter/Exclusion: Exclude processes that match known antivirus tool names or run from their installation directories (e.g., C:\Program Files\Bitdefender\).

• Scenario: Software Deployment via SCCM
  Description: A Software Center or Configuration Manager (SCCM) deployment may trigger a process with a similar name during package installation.
  Filter/Exclusion: Exclude processes initiated by SCCM services (e.g., SMS Executive or CCMExec) or running from SCCM deployment paths (e.g., C:\Windows\CCM\).

• Scenario: Custom Script or Tool for Log Analysis
  Description: A custom script or tool (e.g., LogParser, PowerShell script) may use a similar name for log analysis or data processing.
  Filter/Exclusion: Exclude processes with a known script path or command-line