The Insta11 code features rule detects potential adversary use of obfuscated or malicious code execution techniques that may evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that leverage code injection or execution through less common or stealthy methods.
YARA Rule
rule Insta11Code : Insta11 Family
{
meta:
description = "Insta11 code features"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
// jmp $+5; push 423h
$jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate application that includes base64 encoded strings for configuration purposes.
Filter/Exclusion: Exclude processes initiated by the system or administrator user with powershell.exe and where the command line includes -EncodedCommand or base64 strings that match known legitimate application patterns.
Scenario: A scheduled job runs nightly to process log files using a script that contains base64 encoded data for compression or encryption.
Filter/Exclusion: Exclude processes associated with scheduled tasks that have a known name (e.g., LogProcessingJob) and run under a specific service account or at a fixed time.
Scenario: A developer is using Git to push code to a repository, and the commit message includes base64 encoded data for internal documentation.
Filter/Exclusion: Exclude processes related to git.exe with command lines containing commit or push, and where the commit message or data matches known internal documentation patterns.
Scenario: A backup tool (e.g., Veeam) uses base64 encoding to store metadata during backup operations.
Filter/Exclusion: Exclude processes initiated by the backup service account and associated with known backup tools, using process names like veeam.exe or backup.exe.
Scenario: A configuration management tool like Ansible uses base64 encoding in playbooks to pass sensitive data securely.
Filter/Exclusion: Exclude processes related to ansible.exe or ansible-playbook.exe and filter out base64 strings that appear in playbooks or inventory files.