An adversary may be attempting to alter network configurations to maintain persistence or exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access or data leakage risks early.
YARA Rule
rule hijack_network {
meta:
author = "x0r"
description = "Hijack network configuration"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase
$p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase
$p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase
$p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase
$f1 = "drivers\\etc\\hosts" nocase
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled network backup using netsh
Description: A scheduled task runs netsh to back up network configuration files as part of a standard backup process.
Filter/Exclusion: Exclude processes initiated by the backup service or tasks with netsh in the command line and originating from the backup scheduler.
Scenario: Manual network configuration change via ipconfig /all
Description: An administrator manually runs ipconfig /all to verify or document current network settings.
Filter/Exclusion: Exclude processes with ipconfig /all in the command line executed by user accounts with administrative privileges and logged in via the console.
Scenario: System update or patching using Group Policy
Description: A Group Policy update modifies network settings across the domain, such as DNS or proxy configurations.
Filter/Exclusion: Exclude events related to Group Policy updates or changes made by the gpupdate or gpresult commands.
Scenario: Network discovery tool scanning internal network
Description: A network discovery tool like Nmap or Advanced IP Scanner is used to map internal network devices.
Filter/Exclusion: Exclude processes associated with known network discovery tools and running from non-administrator accounts or during scheduled network scans.
Scenario: DNS configuration change via PowerShell script
Description: A PowerShell script is used to update DNS settings on multiple servers as part of a routine configuration management task.
Filter/Exclusion: Exclude PowerShell scripts that modify DNS settings and are executed by the configuration management tool (e.g., Ansible, Puppet, or Chef) with known execution patterns.