Linux.IotReaper

Hunt Hypothesis

The Linux.IotReaper detection rule identifies potential adversary behavior involving suspicious process execution and network connectivity commonly associated with IoT device compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise of IoT devices within their environment.

YARA Rule

rule IotReaper: MALW
{
	meta:
		description = "Linux.IotReaper"
		author = "Joan Soriano / @w0lfvan"
		date = "2017-10-30"
		version = "1.0"
		MD5 = "95b448bdf6b6c97a33e1d1dbe41678eb"
		SHA256 = "b463ca6c3ec7fa19cd318afdd2fa2365fa9e947771c21c4bd6a3bc2120ba7f28"
	strings:
		$a = "weruuoqweiur.com"
		$b = "rm -f /tmp/ftpupload.sh \n"
		$c = "%02x-%02x-%02x-%02x-%02x-%02x"
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update using apt or yum
  Description: Automated package updates or upgrades may trigger the rule due to the use of apt or yum commands, which are common in Linux environments.
  Filter/Exclusion: Check for apt or yum commands in the process name or command line, and exclude processes where the user is root or sudo and the command is part of a known update schedule.

• Scenario: Scheduled job execution via cron
  Description: Legitimate cron jobs, such as system maintenance or log rotation, may trigger the rule if they involve processes that resemble malicious behavior.
  Filter/Exclusion: Filter out cron jobs by checking the command line for /usr/bin/cron or /etc/cron.* files, and exclude processes with known legitimate cron job patterns.

• Scenario: System monitoring tool execution (e.g., nagios, zabbix, telegraf)
  Description: These tools often execute scripts or binaries that may be flagged by the rule due to similar process names or behaviors.
  Filter/Exclusion: Exclude processes associated with known monitoring tools by checking the command line for tool-specific binaries or paths like /usr/lib/nagios or /opt/zabbix.

• Scenario: Admin task involving systemd or init scripts
  Description: Systemd or init scripts used for service management may trigger the rule due to the use of similar command-line arguments or process names.
  Filter/Exclusion: Filter out processes where the command line includes systemctl or /etc/init.d/ and the user is a system admin or root.

• Scenario: Log rotation or archive tasks using logrotate
  Description: Logrotate operations may trigger the rule due to the use of temporary files or processes that resemble malicious activity