Adversaries may be using a custom YARA rule to detect and evade traditional signature-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden malicious activity.
YARA Rule
rule GH_PM32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}This YARA rule can be deployed in the following contexts:
Scenario: System Update via Windows Update
Description: A legitimate system update process may trigger the rule due to the presence of update-related files or scripts.
Filter/Exclusion: Exclude files signed by Microsoft or with file paths containing C:\Windows\Update or C:\Windows\SoftwareDistribution.
Scenario: Scheduled Backup Job Using Veeam Backup & Replication
Description: Veeam may generate temporary files or use scripts that match the rule’s signature during a backup operation.
Filter/Exclusion: Exclude files with the Veeam process name or file paths containing C:\Program Files\Veeam.
Scenario: PowerShell Script for System Monitoring (e.g., by SolarWinds)
Description: A monitoring tool like SolarWinds may use PowerShell scripts that include similar patterns to the rule’s YARA signature.
Filter/Exclusion: Exclude files with the SolarWinds process name or file paths containing C:\Program Files\SolarWinds.
Scenario: Admin Task for Log Collection Using Splunk
Description: Splunk may deploy scripts or agents that temporarily generate files matching the rule’s signature during log collection.
Filter/Exclusion: Exclude files with the Splunk process name or file paths containing C:\Program Files\Splunk.
Scenario: Antivirus Quarantine File Cleanup
Description: Antivirus tools like Bitdefender or Kaspersky may temporarily store quarantine files that match the rule’s signature during cleanup.
Filter/Exclusion: Exclude files with the Bitdefender or Kaspersky process name or file paths containing C:\ProgramData\Bitdefender or C:\ProgramData\Kaspersky.