Identify Genome

Hunt Hypothesis

The rule detects potential adversary behavior involving the identification of system or network components, which may indicate reconnaissance or initial compromise. SOC teams should proactively hunt for this activity in Azure Sentinel to identify early-stage threats and prevent further exploitation.

YARA Rule

rule genome {
    meta:
        author = "Brian Wallace @botnet_hunter"
        author_email = "[email protected]"
        date = "2014-09-07"
        description = "Identify Genome"
	strings:
	    $s1 = "Attempting to create more than one keyboard::Monitor instance"
        $s2 = "{Right windows}"
        $s3 = "Access violation - no RTTI data!"
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled backups using Veeam Backup & Replication
  Description: Veeam performs regular backups that may generate large volumes of data transfer activity, which could be mistaken for genomic data transfer.
  Filter/Exclusion: Exclude traffic involving IP addresses or hosts associated with Veeam backup servers, or filter by process names like VeeamBackup.exe.

• Scenario: Data transfer via Apache NiFi for ETL processes
  Description: Apache NiFi is often used for data integration and may transfer large datasets that resemble genomic data.
  Filter/Exclusion: Exclude traffic involving known NiFi components (e.g., nifi-flow.xml, nifi-api) or filter by specific NiFi process groups or connection names.

• Scenario: Admin task: Importing genomic data via Galaxy
  Description: Researchers may import genomic datasets into Galaxy, a bioinformatics platform, which could trigger the rule.
  Filter/Exclusion: Exclude traffic to Galaxy endpoints (e.g., galaxy.instance.com) or filter by user roles (e.g., admin or researcher) and specific import tasks.

• Scenario: Log shipping using Splunk or ELK Stack
  Description: Log shipping between servers using Splunk or the ELK stack (Elasticsearch, Logstash, Kibana) may involve large data transfers that could be flagged.
  Filter/Exclusion: Exclude traffic involving Splunk Forwarders or Logstash agents, or filter by specific log types or source hosts.

• Scenario: Cloud storage sync using AWS S3 or Azure Blob Storage
  Description: Automated sync jobs between on-premises systems and cloud storage (e.g., S3 buckets or Azure Blob Storage) may generate data transfer patterns similar to genomic data.
  Filter/Exclusion: Exclude traffic involving known cloud storage endpoints (e.g., `s