The hypothesis is that an adversary may be using compromised or leaked Windows tools and exploits from the ShadowBroker leak to gain unauthorized access or escalate privileges within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation of known vulnerabilities and mitigate the risk of advanced persistent threats.
YARA Rule
rule FVEY_ShadowBrokers_Jan17_Screen_Strings
{
meta:
description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits"
author = "Florian Roth"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/"
date = "2017-01-08"
strings:
$x1 = "Danderspritz" ascii wide fullword
$x2 = "DanderSpritz" ascii wide fullword
$x3 = "PeddleCheap" ascii wide fullword
$x4 = "ChimneyPool Addres" ascii wide fullword
$a1 = "Getting remote time" fullword ascii
$a2 = "RETRIEVED" fullword ascii
$b1 = "Added Ops library to Python search path" fullword ascii
$b2 = "target: z0.0.0.1" fullword ascii
$c1 = "Psp_Avoidance" fullword ascii
$c2 = "PasswordDump" fullword ascii
$c3 = "InjectDll" fullword ascii
$c4 = "EventLogEdit" fullword ascii
$c5 = "ProcessModify" fullword ascii
$d1 = "Mcl_NtElevation" fullword ascii wide
$d2 = "Mcl_NtNativeApi" fullword ascii wide
$d3 = "Mcl_ThreatInject" fullword ascii wide
$d4 = "Mcl_NtMemory" fullword ascii wide
condition:
filesize < 2000KB and (1 of ($x*) or all of ($a*) or 1 of ($b*) or ( uint16(0) == 0x5a4d and 1 of ($c*) ) or 3 of ($c*) or ( uint16(0) == 0x5a4d and 3 of ($d*) ))
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Legitimate use of net user for user management
Description: A system administrator is creating or modifying user accounts using the net user command.
Filter/Exclusion: Check for the presence of net user in conjunction with known admin tasks (e.g., net user admin /add, net user admin /passwordreq:yes). Exclude processes initiated by trusted admin accounts or scheduled tasks.
Scenario: Scheduled job running taskkill to terminate non-responsive services
Description: A scheduled task is configured to terminate unresponsive services using taskkill /im service_name.exe.
Filter/Exclusion: Filter out taskkill commands that are part of known maintenance scripts or scheduled tasks. Use process owner or parent process context to identify legitimate administrative activity.
Scenario: Use of wmic for system diagnostics and reporting
Description: A system health check script uses wmic to gather system information such as CPU usage, memory, or disk space.
Filter/Exclusion: Exclude wmic commands that are part of standard monitoring tools or scripts. Use command-line arguments or script paths to differentiate from suspicious usage.
Scenario: Legitimate use of certutil for certificate management
Description: An IT administrator is using certutil to manage or import certificates into the Windows certificate store.
Filter/Exclusion: Filter out certutil commands that are part of known certificate management workflows. Check for command-line arguments related to certificate import/export or store operations.
Scenario: Use of schtasks to manage scheduled jobs
Description: A system administrator is using schtasks to create, modify, or delete scheduled tasks.
Filter/Exclusion: Exclude schtasks commands that are part of known administrative tasks.