Industroyer-related malware may be present in the environment through suspicious process creation or file execution patterns indicative of its known behavior. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify potential energy sector threats and prevent large-scale infrastructure disruption.
YARA Rule
rule Industroyer_Malware_2 {
meta:
description = "Detects Industroyer related malware"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571"
hash2 = "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4"
hash3 = "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77"
hash1 = "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47"
strings:
$x1 = "sc create %ls type= own start= auto error= ignore binpath= \"%ls\" displayname= \"%ls\"" fullword wide
$x2 = "10.15.1.69:3128" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" fullword wide
$s2 = "/c sc stop %s" fullword wide
$s3 = "sc start %ls" fullword wide
$s4 = "93.115.27.57" fullword wide
$s5 = "5.39.218.152" fullword wide
$s6 = "tierexe" fullword wide
$s7 = "comsys" fullword wide
$s8 = "195.16.88.6" fullword wide
$s9 = "TieringService" fullword wide
$a1 = "TEMP\x00\x00DEF" fullword wide
$a2 = "TEMP\x00\x00DEF-C" fullword wide
$a3 = "TEMP\x00\x00DEF-WS" fullword wide
$a4 = "TEMP\x00\x00DEF-EP" fullword wide
$a5 = "TEMP\x00\x00DC-2-TEMP" fullword wide
$a6 = "TEMP\x00\x00DC-2" fullword wide
$a7 = "TEMP\x00\x00CES-McA-TEMP" fullword wide
$a8 = "TEMP\x00\x00SRV_WSUS" fullword wide
$a9 = "TEMP\x00\x00SRV_DC-2" fullword wide
$a10 = "TEMP\x00\x00SCE-WSUS01" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) or 3 of them or 1 of ($a*) ) or ( 5 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: Scheduled maintenance job using schtasks.exe to run a legitimate system cleanup tool
Filter/Exclusion: process.parent_process == "schtasks.exe" && process.name == "cleanmgr.exe"
Scenario: System update using wuauclt.exe (Windows Update)
Filter/Exclusion: process.name == "wuauclt.exe" || process.name == "svchost.exe" && process.parent_process == "services.exe"
Scenario: Admin task using taskhost.exe to execute a PowerShell script for log rotation
Filter/Exclusion: process.name == "powershell.exe" && process.parent_process == "taskhost.exe" && process.command_line contains "logrotate"
Scenario: Backup job using vssadmin.exe to create a shadow copy
Filter/Exclusion: process.name == "vssadmin.exe" || process.name == "wbemcons.exe"
Scenario: Network discovery using nmap.exe for internal network mapping
Filter/Exclusion: process.name == "nmap.exe" && process.command_line contains "/sP"