KeyBoy Dropper

Hunt Hypothesis

The KeyBoy Dropper rule detects potential adversary behavior involving the deployment of a malicious dropper, which may be used to load additional payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent further lateral movement or data exfiltration.

YARA Rule

rule KeyBoy_Dropper
{

    meta:
        Author      = "Rapid7 Labs"
        Date        = "2013/06/07"
        Description = "Strings inside"
        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"

    strings:
        $1 = "I am Admin"
        $2 = "I am User"
        $3 = "Run install success!"
        $4 = "Service install success!"
        $5 = "Something Error!"
        $6 = "Not Configed, Exiting"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that matches the YARA signature due to similar file naming or content.
  Filter/Exclusion: Exclude files created by the schtasks.exe command or files with a .ps1 extension executed via scheduled tasks.

• Scenario: Admin Performing PowerShell Script for Patching
  Description: An administrator runs a PowerShell script to apply patches or updates, which coincidentally matches the KeyBoy Dropper YARA rule.
  Filter/Exclusion: Exclude files with the .ps1 extension executed by powershell.exe with the -Command or -File parameter.

• Scenario: Software Deployment via Group Policy
  Description: A legitimate software deployment package (e.g., from Microsoft or a trusted vendor) is being distributed via Group Policy and matches the YARA rule.
  Filter/Exclusion: Exclude files that are signed by a trusted certificate or have a known hash from a trusted source.

• Scenario: Log File or Temporary File Generation
  Description: A system or application generates a temporary file or log file that contains content matching the KeyBoy Dropper YARA rule.
  Filter/Exclusion: Exclude files with a .tmp, .log, or .bak extension, or files created by specific services like eventvwr.exe or svchost.exe.

• Scenario: Antivirus Quarantine File
  Description: A file that was quarantined by an antivirus tool is being analyzed and matches the KeyBoy Dropper signature due to false positives.
  Filter/Exclusion: Exclude files that are marked as quarantined or have a known hash from a trusted antivirus vendor.