Detects Backdoor from Greenbug Incident

Hunt Hypothesis

The detection identifies potential system access and data exfiltration activities associated with the Greenbug backdoor, indicating an adversary may be maintaining persistence and stealing sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from known malicious actors.

YARA Rule

rule Greenbug_Malware_3 {
   meta:
      description = "Detects Backdoor from Greenbug Incident"
      author = "Florian Roth"
      reference = "https://goo.gl/urp4CD"
      date = "2017-01-25"
      super_rule = 1
      hash1 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
      hash2 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
   strings:
      $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii
      $x2 = "C:\\ddd\\wer2.txt" fullword wide
      $x3 = "\\Microsoft\\Windows\\tmp43hh11.txt" fullword wide
   condition:
      1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/urp4CD
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using Veeam
  Description: A backup process using Veeam may generate similar file patterns due to its use of temporary files or scripts.
  Filter/Exclusion: Check for process.name containing “Veeam” or file.path containing “Veeam” in the event data.

• Scenario: Admin using PowerShell for system cleanup
  Description: An administrator may run PowerShell scripts that create temporary files or use similar command-line syntax to legitimate maintenance tasks.
  Filter/Exclusion: Filter events where process.name is “powershell.exe” and process.args contains “Cleanup” or “System Maintenance”.

• Scenario: Deployment of a legitimate software update via SCCM
  Description: Software updates deployed via System Center Configuration Manager (SCCM) may include scripts or temporary files that match the YARA signature.
  Filter/Exclusion: Check for process.name containing “ccmexec” or “SCCM” in the event data.

• Scenario: Use of a legitimate remote management tool (e.g., LogMeIn)
  Description: Remote management tools like LogMeIn may use similar network behavior or file patterns as the Greenbug backdoor.
  Filter/Exclusion: Filter events where process.name contains “LogMeIn” or “Remote Desktop” and check for known legitimate tool signatures.

• Scenario: Testing of a security tool’s detection capabilities
  Description: Security teams may test detection rules by injecting benign payloads that mimic malicious behavior.
  Filter/Exclusion: Check for process.name containing “test” or “simulate” and verify the presence of a known test environment or lab tag.