Adversaries may use Windows network traffic to exfiltrate data or establish command and control channels by leveraging legitimate network protocols. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration or C2 activity that may bypass traditional detection methods.
YARA Rule
rule hacktool_multi_ntlmrelayx
{
meta:
description = "https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/"
reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py"
author = "@mimeframe"
id = "e638e9d0-404d-5b48-910c-6b3cd0845b78"
strings:
$a1 = "Started interactive SMB client shell via TCP" wide ascii
$a2 = "Service Installed.. CONNECT!" wide ascii
$a3 = "Done dumping SAM hashes for host:" wide ascii
$a4 = "DA already added. Refusing to add another" wide ascii
$a5 = "Domain info dumped into lootdir!" wide ascii
condition:
any of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform routine network configuration tasks, such as updating DNS settings or configuring network interfaces.
Filter/Exclusion: Check for ProcessName = "powershell.exe" and CommandLine containing known administrative commands like Set-DnsClient, Set-NetAdapter, or Get-NetAdapter.
Scenario: A scheduled job runs to update system certificates or perform Windows Update, which may involve network traffic to Microsoft servers.
Filter/Exclusion: Filter by ProcessName = "schtasks.exe" or ProcessName = "wuauclt.exe" and check for known update-related command lines or IP ranges associated with Microsoft update services.
Scenario: A remote desktop session (RDP) is active, and the user is accessing internal network resources, which may trigger network activity that resembles malicious behavior.
Filter/Exclusion: Use ProcessName = "mstsc.exe" or check for UserDomain matching internal corporate domains, and verify the source IP against known internal IP ranges.
Scenario: A backup tool like Veeam or Commvault is transferring data over the network, which may involve outbound traffic to backup servers.
Filter/Exclusion: Filter by ProcessName matching the backup tool (e.g., veeam.exe, cvbackup.exe) or check for known backup server IP addresses or domains in the destination.
Scenario: A Windows Update Agent is downloading patches, which may involve network traffic to Microsoft’s update servers.
Filter/Exclusion: Use ProcessName = "wuauclt.exe" and check for command lines related to update operations, or filter by destination IP ranges associated with Microsoft update services.