Adversaries may use hardcoded strings to exfiltrate data or communicate with command-and-control servers, which could indicate the presence of malicious activity. SOC teams should proactively hunt for these strings in Azure Sentinel to identify potential data exfiltration or C2 communication attempts early.
YARA Rule
rule Insta11Strings : Insta11 Family
{
meta:
description = "Insta11 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "XTALKER7"
$ = "Insta11 Microsoft" wide ascii
$ = "wudMessage"
$ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
$ = "B12AE898-D056-4378-A844-6D393FE37956"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeambackup.exe or check for the presence of Veeam in the process name or command line arguments.
Scenario: System update using Windows Update
Filter/Exclusion: Exclude processes related to wuauclt.exe or filter based on the presence of Windows Update in the command line or process description.
Scenario: Log file parsing using ELK Stack (Elasticsearch, Logstash, Kibana)
Filter/Exclusion: Exclude processes with logstash in the name or filter based on the presence of logstash in the command line or parent process.
Scenario: Admin task for user account management using Active Directory Users and Computers (ADUC)
Filter/Exclusion: Exclude processes with adsiedit.msc or dsa.msc in the process name, or filter based on the presence of AD-related command line arguments.
Scenario: Automated script execution for system monitoring using PowerShell
Filter/Exclusion: Exclude processes with powershell.exe that have a command line containing monitor, system, or script in the arguments, or filter based on the presence of a known legitimate script path.