KeyBoy Backdoor

Hunt Hypothesis

The KeyBoy Backdoor detection identifies potential adversary persistence by leveraging a known malicious YARA signature, indicating the presence of a stealthy backdoor mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts that may evade traditional detection methods.

YARA Rule

rule KeyBoy_Backdoor
{

    meta:
        Author      = "Rapid7 Labs"
        Date        = "2013/06/07"
        Description = "Strings inside"
        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"

    strings:
        $1 = "$login$"
        $2 = "$sysinfo$"
        $3 = "$shell$"
        $4 = "$fileManager$"
        $5 = "$fileDownload$"
        $6 = "$fileUpload$"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task using schtasks.exe or Task Scheduler is performing routine system maintenance, such as disk cleanup or log rotation.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler and exclude tasks with known maintenance names (e.g., DiskCleanup, LogClean).

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator is using mstsc.exe (Remote Desktop) to access a server and is executing commands that match the YARA signature.
  Filter/Exclusion: Filter by ProcessName containing mstsc.exe and check for user context (e.g., UserDomain matching admin domain or UserAccount indicating admin privileges).

• Scenario: PowerShell Script for Patch Management
  Description: A PowerShell script (e.g., PSConfig.ps1) is being run by a patch management tool like Microsoft Update or WSUS to apply system updates.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for command-line arguments related to patching (e.g., -File PSConfig.ps1 or -ArgumentList "patch").

• Scenario: Log File Analysis Using Log Parser
  Description: A system administrator is using logparser.exe to analyze IIS or Windows event logs, and the script matches the YARA signature due to similar string patterns.
  Filter/Exclusion: Filter by ProcessName containing logparser.exe and check for log file paths (e.g., C:\Windows\System32\LogFiles) or presence of known log analysis tools.

• Scenario: Antivirus Quarantine Scan
  Description: An antivirus tool like `Malwarebytes