The ElfHash detection rule identifies potential adversary activity by monitoring for unusual hash patterns that may indicate malicious file execution or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage threats that evade traditional signature-based detection methods.
YARA Rule
rule Elf_Hash {
meta:
author = "_pusher_"
description = "Look for ElfHash"
date = "2015-06"
version = "0.3"
strings:
$c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 }
$c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 }
$c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 }
$c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 }
$c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 }
$c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 }
$c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system update or patching tool generates temporary files with ElfHash signatures during installation.
Filter/Exclusion: Exclude files created by known update tools like WSUS, PatchManager, or Ansible during scheduled maintenance windows.
Scenario: A developer uses a static code analysis tool (e.g., SonarQube, Clang, or Prettier) that generates temporary files with ElfHash artifacts.
Filter/Exclusion: Exclude files with known temporary file patterns or those generated by specific tools like clang-format or SonarLint.
Scenario: A scheduled backup job (e.g., Veeam, Commvault, or rsync) processes files and leaves temporary ElfHash artifacts in the backup directory.
Filter/Exclusion: Exclude files in known backup directories or those generated by backup tools like VeeamBackup or rsync.
Scenario: An admin runs a system diagnostic or integrity check tool (e.g., Sysinternals Process Explorer, Process Monitor, or Windows Defender) which may temporarily generate ElfHash-related files.
Filter/Exclusion: Exclude files created by tools like Procmon.exe, Process Explorer, or Windows Defender.
Scenario: A container orchestration tool (e.g., Kubernetes, Docker, or Kubelet) generates ElfHash artifacts during image pull or container runtime operations.
Filter/Exclusion: Exclude files related to container runtime or image pull operations, such as those in /var/lib/docker or under kubelet logs.