The detection identifies potential adversary use of a default bot configuration from the KINS leaked dropper, Zeus, which may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior to identify early-stage malware deployment and prevent further lateral movement in their Azure Sentinel environment.
YARA Rule
rule KINS_DLL_zeus {
meta:
author = "AlienVault Labs [email protected]"
description = "Match default bot in KINS leaked dropper, Zeus"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "%BOTID%" fullword
$n2 = "%opensocks%" fullword
$n3 = "%openvnc%" fullword
$n4 = /Global\\(s|v)_ev/ fullword
// Crypted strings
$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
condition:
all of ($n*) and 1 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics the behavior of a bot, such as updating system configurations or cleaning temporary files.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"
Scenario: Admin Performing Remote Desktop Session
Description: An administrator uses Remote Desktop to connect to a server and performs actions that may resemble bot behavior, such as executing commands remotely.
Filter/Exclusion: process.parent.name != "mstsc.exe" or user.account != "admin_account"
Scenario: Automated Log File Cleanup Job
Description: A scheduled job runs a script to clean up old log files, which may include writing to or modifying log files in a manner similar to a dropper.
Filter/Exclusion: process.name != "log_cleanup_script.exe" or file.path != "C:\\Logs\\"
Scenario: PowerShell Script for System Monitoring
Description: A legitimate PowerShell script is used to monitor system performance and may execute commands that resemble those used by a dropper.
Filter/Exclusion: process.name != "powershell.exe" or script.name != "monitoring_script.ps1"
Scenario: Default Configuration Import in Management Tool
Description: A system administrator imports a default configuration file into a management tool (e.g., SCCM, Puppet), which may include scripts or binaries that match the detection rule.
Filter/Exclusion: file.path != "C:\\Config\\default_config.xml" or process.name != "import_config_tool.exe"