The ‘EmiratesStatement’ rule detects potential indicators of compromise linked to the Emirates threat group, which may be used to compromise infrastructure through malicious files or emails. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats from this adversary before significant damage occurs.
YARA Rule
rule EmiratesStatement
{
meta:
Author = "Christiaan Beek"
Date = "2013-06-30"
Description = "Credentials Stealing Attack"
Reference = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"
hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
hash1 = "a28b22acf2358e6aced43a6260af9170"
hash2 = "6f506d7adfcc2288631ed2da37b0db04"
hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"
strings:
$string0 = "msn.klm"
$string1 = "wmsn.klm"
$string2 = "bms.klm"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using Veeam
Description: A scheduled backup task using Veeam may generate files with similar characteristics to those detected by the EmiratesStatement rule due to file naming patterns or content.
Filter/Exclusion: Check for the presence of Veeam in the process name or file path, or filter by file extensions like .vib or .vbk associated with Veeam backups.
Scenario: System update via Microsoft Endpoint Manager (MEM)
Description: A system update deployment via Microsoft Endpoint Manager may trigger the rule due to the presence of signed binaries or scripts that match the rule’s signature.
Filter/Exclusion: Filter by the presence of Microsoft in the file path or process name, or check the file’s digital signature to confirm it is from Microsoft.
Scenario: Admin task using PowerShell for log rotation
Description: A PowerShell script used for log rotation or system cleanup may generate files that match the EmiratesStatement rule due to similar naming conventions or file content.
Filter/Exclusion: Filter by the presence of PowerShell in the process name, or check for known admin scripts in a shared directory like C:\Windows\System32\.
Scenario: Legitimate email client processing emails with attachments
Description: An email client like Microsoft Outlook or Thunderbird may process emails with attachments that have file names or content matching the EmiratesStatement rule.
Filter/Exclusion: Filter by the presence of email client processes (e.g., OUTLOOK.EXE, THUNDERBIRD.EXE) or check the file’s MIME type to identify legitimate email attachments.
Scenario: Security tool performing file integrity monitoring (FIM)
Description: A security tool like Tripwire or Microsoft Advanced Threat Analytics (ATA) may generate files or logs that match the