Generic rule for Winpot aka ATMPot

Hunt Hypothesis

The hypothesis is that the detection identifies potential command and control activity associated with the Winpot malware, which may indicate an adversary establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromises and prevent lateral movement within the network.

YARA Rule

rule Generic_ATMPot : Generic_ATMPot
{
    meta:
        description = "Generic rule for Winpot aka ATMPot"
        author = "[email protected]"
        date = "2019-02-24"
        reference = "https://securelist.com/atm-robber-winpot/89611/"
        // May only the challenge guide you
    strings:
        $api1 = "CSCCNG" ascii wide
        $api2 = "CscCngOpen" ascii wide
        $api3 = "CscCngClose" ascii wide
        $string1 = "%d,%02d;" ascii wide
/*
0xD:
.text:004022EC FF 15 20 70 40 00             CALL DWORD PTR DS:[407020]  ; cscwcng.CscCngDispense
.text:004022F2 F6 C4 80                      TEST AH,80
winpot:
.text:004019D4 FF 15 24 60 40 00             CALL DWORD PTR DS:[406024]  ; cscwcng.CscCngDispense
.text:004019DA F6 C4 80                      TEST AH,80
*/
        $hex1 = { FF 15 ?? ?? ?? ?? F6 C4 80 }
/*
0xD...: 0040506E  25 31 5B 31 2D 34 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[1-4]VAL=%8[0-9]
winpot: 0040404D  25 31 5B 30 2D 39 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[0-9]VAL=%8[0-9]
*/
        $hex2 = { 25 31 5B ?? 2D ?? 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D }
    condition:  
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://securelist.com/atm-robber-winpot/89611/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses WinPot-like command-line tools (e.g., PowerShell, cmd.exe) for system cleanup or configuration.
  Filter/Exclusion: Check for Task Scheduler context or schtasks.exe process parent. Exclude tasks with names like SystemMaintenance or Cleanup.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Microsoft Defender or Kaspersky uses WinPot-like command-line utilities during a full system scan.
  Filter/Exclusion: Check for process parent msseces.exe (Microsoft Defender) or avp.exe (Kaspersky). Exclude processes running under the security service account.

• Scenario: Windows Update or Patch Deployment
  Description: A Windows Update or Microsoft Endpoint Manager (MEM) deployment uses command-line tools to apply patches or updates.
  Filter/Exclusion: Check for process parent wuauclt.exe or setup.exe. Exclude processes with Update or Patch in the command line.

• Scenario: Database Backup or Restore Using SQLCMD
  Description: A SQL Server backup or restore operation uses sqlcmd.exe to execute T-SQL scripts, which may resemble malicious command-line activity.
  Filter/Exclusion: Check for sqlcmd.exe with valid SQL Server credentials and command-line arguments related to backup/restore (e.g., -S, -d, -Q).

• Scenario: Network Configuration Script via PowerShell
  Description: A PowerShell script runs to configure network settings (e.g., IP address, DNS) using netsh or ipconfig commands.
  Filter/Exclusion: Check