The detection identifies potential ELF binary artifacts associated with Linux-based backdoors, downloaders, or remote command execution capabilities, which may indicate adversary persistence or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy malware execution or unauthorized command and control activities.
YARA Rule
rule is__LinuxHttpsdStrings {
meta:
description = "Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)"
ref1 = "https://imgur.com/a/8mFGk"
ref2 = "https://otx.alienvault.com/pulse/5a49115f93199b171b90a212"
ref3 = "https://misppriv.circl.lu/events/view/9952"
author = "unixfreaxjp"
org = "MalwareMustDie"
date = "2018-01-02"
sha256 = "dd1266561fe7fcd54d1eb17efbbb6babaa9c1f44b36cef6e06052e22ce275ccd"
sha256 = "1b3718698fae20b63fbe6ab32411a02b0b08625f95014e03301b49afaee9d559"
strings:
$st01 = "k.conectionapis.com" fullword nocase wide ascii
$st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii
$st03 = "id=%d&result=%s" fullword nocase wide ascii
$st04 = "rtime" fullword nocase wide ascii
$st05 = "down" fullword nocase wide ascii
$st06 = "cmd" fullword nocase wide ascii
$st07 = "0 */6 * * * root" fullword nocase wide ascii
$st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii
$st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii
$st10 = "k.conectionapis.com" fullword nocase wide ascii
$st11 = "/api" fullword nocase wide ascii
$st12 = "/tmp/.httpslog" fullword nocase wide ascii
$st13 = "/bin/.httpsd" fullword nocase wide ascii
$st14 = "/tmp/.httpsd" fullword nocase wide ascii
$st15 = "/tmp/.httpspid" fullword nocase wide ascii
$st16 = "/tmp/.httpskey" fullword nocase wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: System update using yum or apt that includes the string “httpd” in the package name or log output
Filter/Exclusion: Check for presence of yum or apt in the command line, or filter out package management tool logs.
Scenario: Scheduled job using crontab to run httpd or apache2 for load testing or monitoring
Filter/Exclusion: Include crontab or systemd service files in the filter, or check for presence of load testing or monitoring in the command.
Scenario: Admin task to configure or restart the Apache HTTP server (httpd) using systemctl or service
Filter/Exclusion: Filter commands containing systemctl start httpd or service httpd restart.
Scenario: Log file rotation or analysis using logrotate that includes the string “httpd” in log paths
Filter/Exclusion: Filter logs that match /var/log/httpd/ or include logrotate in the command.
Scenario: Security tool or SIEM integration that generates alerts containing “httpd” in the alert message
Filter/Exclusion: Filter alerts that include known SIEM tool names (e.g., Splunk, ELK, QRadar) or specific alert tags.