The rule detects potential lateral movement or unauthorized file access through suspicious file activity across multiple Azure resources. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversary activity that could lead to deeper network compromise.
YARA Rule
rule Greenbug_Malware_5 {
meta:
description = "Auto-generated rule - from files 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f, 44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49, 7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c, 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
author = "Florian Roth"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
super_rule = 1
hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
hash2 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
hash3 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
hash4 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
strings:
$x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii
$x2 = "cmd /a /c net user administrator /domain >>" fullword ascii
$x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii
$o1 = "========================== (Net User) ==========================" ascii fullword
condition:
filesize < 2000KB and (
( uint16(0) == 0x5a4d and 1 of them ) or
$o1
)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a new application, which involves creating and modifying files in the C:\Program Files\ directory.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "WindowsPowerShell.exe"
Scenario: A scheduled task runs nightly to back up user profiles, which includes copying files from C:\Users\ to a backup server.
Filter/Exclusion: process.name == "schtasks.exe" OR process.parent.name == "services.exe"
Scenario: A Windows Update installation process temporarily creates files in the C:\Windows\Temp\ directory as part of the update process.
Filter/Exclusion: process.name == "wuauclt.exe" OR process.parent.name == "services.exe"
Scenario: A system integrity check tool like Microsoft Defender performs a scan and generates temporary files in the C:\Windows\Temp\ directory.
Filter/Exclusion: process.name == "MsMpEng.exe" OR process.parent.name == "services.exe"
Scenario: A database backup job runs using SQL Server Agent and writes temporary files to the C:\Program Files\Microsoft SQL Server\ directory.
Filter/Exclusion: process.name == "sqlservr.exe" OR process.parent.name == "sqlagent.exe"