iexpl0re code features

Hunt Hypothesis

The rule detects potential adversary behavior involving the exploration of code features, which may indicate reconnaissance or initial compromise activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage threats and prevent further lateral movement or data exfiltration.

YARA Rule

rule iexpl0reCode : iexpl0ree Family 
{
    meta:
        description = "iexpl0re code features"
        author = "Seth Hardy"
        last_modified = "2014-07-21"
        
    strings:
        $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
        $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
        $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
        $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
        // 88h decrypt
        $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
        $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
        
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legacy application that includes legacy COM components.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line contains regsvr32 or mscomctl.ocx.

• Scenario: A scheduled job runs Microsoft System Center Configuration Manager (SCCM) to update software inventory, which may involve parsing and analyzing code features.
  Filter/Exclusion: Exclude events where the process name is ccmexec.exe or the command line includes sccm or software inventory.

• Scenario: A developer is using Visual Studio to debug or analyze a legacy .NET application, which may trigger code feature analysis during debugging sessions.
  Filter/Exclusion: Exclude events where the process name is devenv.exe or the command line includes debug or attach.

• Scenario: A security tool like Microsoft Defender for Endpoint performs a scan and analyzes code features as part of its threat detection process.
  Filter/Exclusion: Exclude events where the process name is MsMpEng.exe or the command line includes fullscan or quickscan.

• Scenario: A DevOps pipeline runs Azure DevOps Pipeline to build and test a legacy application, which may involve code analysis during the build process.
  Filter/Exclusion: Exclude events where the process name is AzurePipeline.exe or the command line includes build or test.