dubseven file set

Hunt Hypothesis

Adversaries may be using a specific file set to establish persistence or exfiltrate data, as indicated by the YARA rule dubseven_file_set. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and prevent lateral movement or data theft.

YARA Rule

rule dubseven_file_set
{
    
    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Searches for service files loading UP007"
    
    strings:
        $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe"
        $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor"
        $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL"
        $file4 = "\\Microsoft\\Internet Explorer\\main.dll"
        $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe"
        $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll"
        $file7 = "\\Microsoft\\Internet Explorer\\mon"
        $file8 = "\\Microsoft\\Internet Explorer\\runas.exe"
        
    condition:
        //MZ header //PE signature //Just a few of these as they differ

        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of ($file*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patch deployment using WSUS (Windows Server Update Services)
  Filter/Exclusion: Check for presence of wsus or update in the file path, or filter files with known update hashes.

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: Exclude files with paths containing Veeam or backup, or filter based on file extensions like .vbk or .vib.

• Scenario: Admin task involving PowerShell scripting for system configuration
  Filter/Exclusion: Filter files with .ps1 extensions or check for presence of powershell.exe in the command line context.

• Scenario: Log file rotation or management using Logrotate on Linux systems
  Filter/Exclusion: Exclude files with .log extensions or filter based on file names containing logrotate or rotate.

• Scenario: Temporary file creation during software installation using Chocolatey package manager
  Filter/Exclusion: Filter files with temporary file names (e.g., *.tmp, *.bak) or check for presence of choco in the command line.