Adversaries may use a custom port scanner associated with Industroyer to identify vulnerable network devices and establish initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential Industroyer-related attacks early and mitigate lateral movement risks.
YARA Rule
rule Industroyer_Portscan_3 {
meta:
description = "Detects Industroyer related custom port scaner"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f"
strings:
$s1 = "!ZBfamily" fullword ascii
$s2 = ":g/outddomo;" fullword ascii
$s3 = "GHIJKLMNOTST" fullword ascii
/* Decompressed File */
$d1 = "Error params Arguments!!!" fullword wide
$d2 = "^(.+?.exe).*\\s+-ip\\s*=\\s*(.+)\\s+-ports\\s*=\\s*(.+)$" fullword wide
$d3 = "Exhample:App.exe -ip= 127.0.0.1-100," fullword wide
$d4 = "Error IP Range %ls - %ls" fullword wide
$d5 = "Can't closesocket." fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) or 2 of ($d*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Port Scan
Description: A system administrator runs a scheduled port scan using nmap to verify network connectivity and service availability during routine maintenance.
Filter/Exclusion: Check for nmap usage with known maintenance schedules or filter by source IP of trusted admin workstations.
Scenario: Database Server Port Discovery
Description: A DBA uses telnet or nc (netcat) to manually test connectivity to a database server on a non-standard port as part of a configuration check.
Filter/Exclusion: Exclude traffic originating from known DBA workstations or filter by command-line arguments containing telnet or nc with specific port numbers.
Scenario: Load Balancer Health Check
Description: A load balancer performs periodic health checks to a backend server using a custom port, which may be flagged as a scan.
Filter/Exclusion: Filter by source IP of the load balancer or exclude traffic with known health check intervals and patterns.
Scenario: Security Tool Port Testing
Description: A security tool like Masscan or Nessus is used to test network devices for open ports during a vulnerability assessment.
Filter/Exclusion: Exclude traffic from known security scanning tools or filter based on the source IP of the security scanner.
Scenario: Admin Task to Verify Service Availability
Description: An admin uses telnet or nc to verify if a service is running on a specific port, such as checking if a custom application is listening.
Filter/Exclusion: Filter by user context (e.g., admin user) or exclude commands that match known admin troubleshooting tasks.