The hypothesis is that the detection identifies potential deployment of a newer variant of drive DDoS malware, which may exhibit different behavior patterns compared to known versions. A SOC team should proactively hunt for this behavior in Azure Sentinel to detect and mitigate emerging threats before they cause widespread disruption.
YARA Rule
rule DirtJumper_drive2
{
meta:
author = "Jason Jones <[email protected]>"
date = "2013-08-26"
description = "Identify newer version of drive DDoS malware"
source = "https://github.com/arbor/yara/blob/master/drive2.yara"
strings:
$cmd1 = "-get" fullword
$cmd2 = "-ip" fullword
$cmd3 = "-ip2" fullword
$cmd4 = "-post1" fullword
$cmd5 = "-post2" fullword
$cmd6 = "-udp" fullword
$str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
$str2 = "-timeout" fullword
$str3 = "-thread" fullword
$str4 = " Local; ru) Presto/2.10.289 Version/"
$str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
$newver1 = "-icmp"
$newver2 = "-byte"
$newver3 = "-long"
$newver4 = "<xmp>"
condition:
4 of ($cmd*) and all of ($str*) and all of ($newver*)
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: A system administrator is performing a routine disk cleanup using Disk Cleanup (Windows) or rm -rf in a Linux environment.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe (Windows) or rm/sh with specific command-line arguments used in scheduled maintenance tasks.
Scenario: A backup job is running using Veeam Backup & Replication or Commvault to archive old data.
Filter/Exclusion: Exclude processes related to backup tools (e.g., veeam.exe, cvbackup.exe) or specific file paths used by backup solutions.
Scenario: A developer is using PowerShell to automate file system operations, such as copying or moving large volumes of data.
Filter/Exclusion: Exclude PowerShell scripts that match known administrative or development tooling patterns, or filter by user account (e.g., NT AUTHORITY\SYSTEM).
Scenario: A system update or patching task is executed using WSUS (Windows Server Update Services) or Ansible automation.
Filter/Exclusion: Exclude processes associated with update tools (e.g., wusa.exe, ansible) or filter by known update-related file paths.
Scenario: A log rotation or data retention task is being handled by logrotate (Linux) or Event Viewer (Windows).
Filter/Exclusion: Exclude processes related to log management tools (e.g., logrotate, eventvwr.exe) or filter by specific log file paths or retention policies.