The DownExecute A rule detects potential adversary behavior involving the execution of malicious payloads downloaded from external sources, indicating possible initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule DownExecute_A
{
meta:
Author = "PwC Cyber Threat Operations :: @tlansec"
Date = "2015/04/27"
Description = "Malware is often wrapped/protected, best to run on memory"
Reference = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html"
strings:
$winver1 = "win 8.1"
$winver2 = "win Server 2012 R2"
$winver3 = "win Srv 2012"
$winver4 = "win srv 2008 R2"
$winver5 = "win srv 2008"
$winver6 = "win vsta"
$winver7 = "win srv 2003 R2"
$winver8 = "win hm srv"
$winver9 = "win Strg srv 2003"
$winver10 = "win srv 2003"
$winver11 = "win XP prof x64 edt"
$winver12 = "win XP"
$winver13 = "win 2000"
$pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb"
$pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h"
$pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h"
$pdb4 = "\\downloadexcute\\downexecute\\"
$magic1 = "<Win Get Version Info Name Error"
$magic2 = "P@$sw0rd$nd"
$magic3 = "$t@k0v2rF10w"
$magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide
$str1 = "Download Excute" ascii wide fullword
$str2 = "EncryptorFunctionPointer %d"
$str3 = "%s\\%s.lnk"
$str4 = "Mac:%s-Cpu:%s-HD:%s"
$str5 = "feed back responce of host"
$str6 = "GET Token at host"
$str7 = "dwn md5 err"
condition:
all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 28 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe or Task Scheduler runs a script or executable that matches the YARA rule.
Filter/Exclusion: Check for CommandLine containing schtasks.exe or Task Scheduler and exclude based on the task name or scheduled time.
Scenario: Admin Performing Software Installation
Description: An administrator uses msiexec.exe or setup.exe to install a legitimate software package, which may trigger the rule due to similar string patterns.
Filter/Exclusion: Filter by ProcessName being msiexec.exe or setup.exe and check the command line for known installer arguments.
Scenario: PowerShell Script Execution
Description: A PowerShell script (e.g., powershell.exe -Command) is run by an admin to automate a system update or configuration change, which may match the YARA rule.
Filter/Exclusion: Filter by ProcessName being powershell.exe and check for -Command or -File arguments pointing to known admin scripts.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus tool (e.g., avgscan.exe, mcafee.exe, or bitdefender.exe) runs a scan and triggers the rule due to similar file or command patterns.
Filter/Exclusion: Filter by ProcessName matching known antivirus executables and exclude based on the scan type or command line arguments.
Scenario: Database Backup Job
Description: A database backup job (e.g., using sqlbackup.exe or mysqldump.exe) runs and matches the YARA rule due to similar string patterns.
Filter/Exclusion: Filter by ProcessName being `sqlbackup