Detects Backdoor from Greenbug Incident

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential backdoor activity associated with the Greenbug incident, which may indicate unauthorized remote access or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate any lingering malicious infrastructure linked to the Greenbug threat group.

YARA Rule

rule Greenbug_Malware_2 {
   meta:
      description = "Detects Backdoor from Greenbug Incident"
      author = "Florian Roth"
      reference = "https://goo.gl/urp4CD"
      date = "2017-01-25"
      hash1 = "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d"
      hash2 = "21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685"
      hash3 = "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c"
   strings:
      $x1 = "|||Command executed successfully" fullword ascii
      $x2 = "\\Release\\Bot Fresh.pdb" ascii
      $x3 = "C:\\ddd\\a1.txt" fullword wide
      $x4 = "Bots\\Bot5\\x64\\Release" ascii
      $x5 = "Bot5\\Release\\Ism.pdb" ascii
      $x6 = "Bot\\Release\\Ism.pdb" ascii
      $x7 = "\\Bot Fresh\\Release\\Bot" ascii

      $s1 = "/Home/SaveFile?commandId=CmdResult=" fullword wide
      $s2 = "raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday" fullword ascii
      $s3 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
      $s4 = "SELECT * FROM AntiVirusProduct" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 2 of them ) ) or ( 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• https://goo.gl/urp4CD
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using task scheduler to run a legitimate cleanup script
  Filter/Exclusion: process.name IN ("cleanmgr.exe", "schtasks.exe") or process.parent.name == "taskhost.exe"

• Scenario: Admin performing a database backup using SQL Server Agent Job
  Filter/Exclusion: process.name == "sqlservr.exe" AND process.parent.name == "sqlagent.exe"

• Scenario: IT team using PowerShell to automate user account creation in Active Directory
  Filter/Exclusion: process.name == "powershell.exe" AND command_line CONTAINS "New-ADUser"

• Scenario: System administrator running a malware scan with Malwarebytes or Windows Defender
  Filter/Exclusion: process.name IN ("mbam.exe", "MsMpEng.exe") OR process.parent.name == "services.exe"

• Scenario: DevOps pipeline executing a CI/CD job using Jenkins to deploy code
  Filter/Exclusion: process.name == "java.exe" AND command_line CONTAINS "jenkins.exe" OR process.parent.name == "jenkins.exe"