Detects Industroyer related malware

Hunt Hypothesis

Industroyer-related malware may be present in the environment through suspicious process execution or network activity indicative of its known behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential industrial control system compromises early.

YARA Rule

rule Industroyer_Malware_4 {
   meta:
      description = "Detects Industroyer related malware"
      author = "Florian Roth"
      reference = "https://goo.gl/x81cSy"
      date = "2017-06-13"
      hash1 = "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561"
   strings:
      $s1 = "haslo.dat" fullword wide
      $s2 = "defragsvc" fullword ascii

      /* .dat\x00\x00Crash */
      $a1 = { 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 200KB and all of ($s*) or $a1 )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/x81cSy
• Source Rule

False Positive Guidance

• Scenario: Scheduled maintenance job using schtasks.exe to run a legitimate system cleanup tool
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known cleanup tools (e.g., cleanmgr.exe, diskcleanup.exe)

• Scenario: Administrative task using taskkill.exe to terminate a non-malicious process (e.g., explorer.exe)
  Filter/Exclusion: Exclude taskkill.exe commands targeting common system processes like explorer.exe, svchost.exe, or winlogon.exe

• Scenario: System update or patching process using msiexec.exe to install a legitimate Windows update
  Filter/Exclusion: Exclude msiexec.exe processes associated with known Windows update packages (e.g., KBxxxxxx.msu)

• Scenario: Database backup using sqlcmd.exe or mysqldump.exe to export data
  Filter/Exclusion: Exclude sqlcmd.exe or mysqldump.exe processes running from known backup directories or scheduled backup tasks

• Scenario: Network monitoring tool like tcpview.exe or Wireshark capturing traffic for analysis
  Filter/Exclusion: Exclude processes associated with network monitoring tools (e.g., tcpview.exe, wireshark.exe) running from user-specific directories or with elevated privileges