Adversaries may be using GH_PM64 to execute arbitrary code or establish persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule GH_PM64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Update or disk cleanup, may trigger the rule due to similar file or process behavior.
Filter/Exclusion: Check for ProcessName containing svchost.exe or wuauserv.exe, or filter by ParentProcessName matching known system services.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Bitdefender, Kaspersky, or Windows Defender may perform deep scans that resemble malicious activity.
Filter/Exclusion: Filter by ProcessName containing mbam.exe, kavservice.exe, or MsMpEng.exe, or check for CommandLine containing scan or fullscan.
Scenario: Log File Parsing or Data Extraction Job
Description: A legitimate job running a script to parse or extract data from log files (e.g., using logparser.exe or PowerShell) may trigger the rule.
Filter/Exclusion: Filter by ProcessName containing logparser.exe or powershell.exe, and check for CommandLine containing log or parse.
Scenario: Database Backup or Restore Operation
Description: A database backup or restore operation using tools like sqlbackup.exe or mysqldump may generate similar behavior to the rule’s detection logic.
Filter/Exclusion: Filter by ProcessName containing sqlbackup.exe, mysqldump, or pg_dump, or check for CommandLine containing backup or restore.
Scenario: Software Deployment via SCCM or Ansible
Description: Software deployment tasks using tools like SCCM (System Center Configuration Manager) or Ansible may trigger the rule due to similar process or file activity