The hypothesis is that the detection identifies potential ISMDoor backdoor activity, which is a known malware variant used for persistent remote access and command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule Greenbug_Malware_4 {
meta:
description = "Detects ISMDoor Backdoor"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
super_rule = 1
hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
hash2 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
strings:
$s1 = "powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuser" fullword ascii
$s2 = "powershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"" fullword ascii
$s3 = "c:\\windows\\temp\\tmp8873" fullword ascii
$s4 = "taskkill /im winit.exe /f" fullword ascii
$s5 = "invoke-psuacme"
$s6 = "-method oobe -payload \"\"" fullword ascii
$s7 = "C:\\ProgramData\\stat2.dat" fullword wide
$s8 = "Invoke-bypassuac" fullword ascii
$s9 = "Start Keylog Done" fullword wide
$s10 = "Microsoft\\Windows\\WinIt.exe" fullword ascii
$s11 = "Microsoft\\Windows\\Tmp9932u1.bat\"" fullword ascii
$s12 = "Microsoft\\Windows\\tmp43hh11.txt" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) or ( 3 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs ism.exe as part of a software update or patching process.
Filter/Exclusion: Check for Process.parent_process_name = "schtasks.exe" or Process.command_line contains "schtasks.exe"
Scenario: Admin Tool for Network Configuration
Description: An administrator uses a tool like ism.exe (if it’s a renamed or custom tool) to configure network settings or firewall rules.
Filter/Exclusion: Check for Process.parent_process_name = "cmd.exe" or Process.parent_process_name = "powershell.exe" with known admin commands
Scenario: Legitimate Software Installation
Description: A legitimate software package (e.g., a third-party application) includes a file named ism.exe during installation, which is not malicious.
Filter/Exclusion: Check for File.path contains "C:\Program Files\" or File.path contains "C:\Windows\Temp\"
Scenario: User-Initiated File Execution
Description: A user manually runs ism.exe from a trusted directory (e.g., a local script or utility) as part of a routine administrative task.
Filter/Exclusion: Check for Process.user = "Domain\Administrator" or Process.user = "Domain\RegularUser" with known benign command lines
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike’s Falcon) temporarily executes a file named ism.exe during a scan or quarantine process.
Filter/Exclusion: Check for Process.parent_process_name contains "Windows Defender" or Process.parent_process_name contains "CrowdStrike"