The keyboy_commands rule detects potential adversary use of a custom tool or script to execute arbitrary commands, indicating possible lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule keyboy_commands
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the 2016 sample's sent and received commands"
date = "2016-08-28"
md5 = "495adb1b9777002ecfe22aaf52fcee93"
strings:
$s1 = "Update" wide fullword
$s2 = "UpdateAndRun" wide fullword
$s3 = "Refresh" wide fullword
$s4 = "OnLine" wide fullword
$s5 = "Disconnect" wide fullword
$s6 = "Pw_Error" wide fullword
$s7 = "Pw_OK" wide fullword
$s8 = "Sysinfo" wide fullword
$s9 = "Download" wide fullword
$s10 = "UploadFileOk" wide fullword
$s11 = "RemoteRun" wide fullword
$s12 = "FileManager" wide fullword
condition:
//MZ header //PE signature
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: System Administrator Performing Scheduled Job Maintenance
Description: An admin is running a scheduled job using cron or task scheduler that executes a script containing the string “keyboy”.
Filter/Exclusion: Check for presence of cron or task scheduler in the process tree, or filter by command line arguments containing --scheduled or --job.
Scenario: Security Tool or SIEM Configuration with Custom Scripts
Description: A security tool like OSSEC or Splunk is configured with a custom script that includes the term “keyboy” for log parsing or alert suppression.
Filter/Exclusion: Filter by process name (e.g., ossec or splunk) or check for presence of configuration files in known security tool directories.
Scenario: Legitimate Script for Key Management in Cloud Environments
Description: A DevOps engineer is using a script (e.g., keyboy.sh) to manage cryptographic keys in a cloud environment like AWS KMS or Azure Key Vault.
Filter/Exclusion: Filter by presence of cloud provider CLI tools (e.g., aws, az) or check for environment variables like AWS_ACCESS_KEY_ID.
Scenario: Admin Task Involving Key Rotation via PowerShell
Description: An admin is using PowerShell to rotate encryption keys using a script named keyboy.ps1 as part of a routine key rotation process.
Filter/Exclusion: Filter by process name (powershell.exe) and check for presence of PS in the command line, or verify the script path is within a known admin script directory.
Scenario: Legacy System with Custom Key Handling Logic
Description: A legacy application or custom service (e.g., Apache Kafka or RabbitMQ) has internal