keyboy related exports

Hunt Hypothesis

Adversaries may use keyboy-related exports to exfiltrate data or establish persistence by leveraging compromised credentials or sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or data exfiltration attempts early.

YARA Rule

rule keyboy_related_exports
{

    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Matches the new 2016 sample's export"
        date = "2016-08-28"
        md5 = "495adb1b9777002ecfe22aaf52fcee93"

    condition:
        //MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block.
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("Embedding") or pe.exports("SSSS") or pe.exports("GetUP")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: System Update or Patch Deployment
  Description: A legitimate system update or patch deployment may include files that match the YARA rule due to similar naming or content patterns.
  Filter/Exclusion: Exclude files with known update or patch signatures, e.g., file.name contains "update" or "patch" or check for file.path contains "/var/cache/apt/" or similar update directories.

• Scenario: Scheduled Job Exporting Data
  Description: A scheduled job (e.g., using cron, systemd, or task scheduler) may export data to a file that matches the YARA rule due to similar structure.
  Filter/Exclusion: Exclude files created by known scheduled jobs, e.g., file.path contains "/var/spool/cron/" or check for process.parent_process contains "cron".

• Scenario: Admin Task Exporting Logs or Reports
  Description: An administrator may run a script or tool (e.g., logrotate, rsyslog, or exporter) that generates files matching the rule.
  Filter/Exclusion: Exclude files generated by known admin tools, e.g., file.name contains "logrotate" or "rsyslog", or check for process.name contains "logrotate".

• Scenario: Backup or Archive Process
  Description: A backup tool (e.g., rsync, tar, zip, or Veeam) may create files that match the YARA rule during a backup operation.
  Filter/Exclusion: Exclude files created by backup tools, e.g., file.name contains ".tar" or ".zip" or check for process.name contains "rsync" or “tar” or “zip”.

• Scenario: Development or Testing Environment
  Description: Developers or testers may generate files with similar