Detects Industroyer related custom port scaner output file

Hunt Hypothesis

Adversaries may use Industroyer’s custom port scanner to identify vulnerable network devices, indicating reconnaissance activity. Proactively hunting for this behavior in Azure Sentinel helps detect early-stage threat activity and prevent potential lateral movement or network compromise.

YARA Rule

rule Industroyer_Portscan_3_Output {
   meta:
      description = "Detects Industroyer related custom port scaner output file"
      author = "Florian Roth"
      reference = "https://goo.gl/x81cSy"
      date = "2017-06-13"
   strings:
      $s1 = "WSA library load complite." fullword ascii
      $s2 = "Connection refused" fullword ascii
   condition:
      all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://goo.gl/x81cSy
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a nightly backup or disk cleanup, may generate output files that resemble the structure of Industroyer port scanner output.
  Filter/Exclusion: Exclude files generated by known system maintenance tools (e.g., wbadmin, vssadmin, or schtasks.exe) or filter by file creation time matching scheduled job windows.

• Scenario: Network Discovery via PowerShell Script
  Description: A PowerShell script used for network discovery or inventory purposes (e.g., Test-NetConnection or Get-NetTCPConnection) may produce output files that match the YARA rule.
  Filter/Exclusion: Exclude files created by PowerShell scripts with known legitimate command-line arguments or filter by the presence of a specific script name or path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

• Scenario: Admin Task for Port Monitoring
  Description: A system administrator may run a custom script or tool (e.g., nmap, tcpview, or netstat) to monitor open ports, which could generate output files that match the rule.
  Filter/Exclusion: Exclude files created by known network monitoring tools or filter by user context (e.g., only alert if the file is created by a non-administrator user).

• Scenario: File Share Backup or Sync Job
  Description: A file share backup or sync job (e.g., using rsync, robocopy, or SyncToy) may generate temporary output files that match the YARA rule.
  Filter/Exclusion: Exclude files created by backup tools or filter by file path patterns common to backup directories (e.g., C:\Backup\, D:\Sync\).

• **Scenario: Custom Log