The hypothesis is that the detection rule identifies potential Fareit Trojan activity associated with the Sep/Oct 2015 wave, leveraging unusual process creation or network behavior indicative of malware execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may have evaded initial detection mechanisms.
YARA Rule
rule Fareit_Trojan_Oct15 {
meta:
description = "Detects Fareit Trojan from Sep/Oct 2015 Wave"
author = "Florian Roth"
reference = "http://goo.gl/5VYtlU"
date = "2015-10-18"
score = 80
super_rule = 1
hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3"
hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997"
hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d"
hash4 = "76669cbe6a6aac4aa52dbe9d2e027ba184bf3f0b425f478e8c049637624b5dae"
hash5 = "9486b73eac92497e703615479d52c85cfb772b4ca6c846ef317729910e7c545f"
hash6 = "c3300c648aebac7bf1d90f58ea75660c78604410ca0fa705d3b8ec1e0a45cdd9"
hash7 = "ff83e9fcfdec4ffc748e0095391f84a8064ac958a274b9684a771058c04cb0fa"
strings:
$s1 = "ebai.exe" fullword wide
$s2 = "Origina" fullword wide
condition:
uint16(0) == 0x5a4d and $s1 in (0..30000) and $s2 in (0..30000)
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using wbadmin to perform a scheduled backup of the server.
Filter/Exclusion: Check for the presence of wbadmin.exe in the process tree or filter out processes initiated by the system account (NT AUTHORITY\SYSTEM).
Scenario: A Windows Update task is running to install critical security patches.
Filter/Exclusion: Exclude processes associated with wuauclt.exe or filter events related to Windows Update services.
Scenario: A scheduled PowerShell script is executing a routine system cleanup or log rotation.
Filter/Exclusion: Filter out processes with a command line containing powershell.exe and a known legitimate script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: A third-party monitoring tool (e.g., SolarWinds or Nagios) is performing a system check or health scan.
Filter/Exclusion: Exclude processes from known monitoring tools by checking the process name or parent process, or filter based on the tool’s known command-line arguments.
Scenario: A remote management tool (e.g., PsExec or Microsoft Endpoint Manager) is being used to execute a remote administrative task.
Filter/Exclusion: Filter out processes initiated from remote hosts or those using PsExec or msiexec with known administrative tasks.