The hypothesis is that the detection of Linux/Httpsd ARMv5 indicates potential adversary use of a compromised or malicious service running on a vulnerable ARM architecture. A SOC team should proactively hunt for this behavior to identify and mitigate potential lateral movement or persistence mechanisms in their Azure Sentinel environment.
YARA Rule
rule Linux_Httpsd_malware_ARM {
meta:
description = "Detects Linux/Httpsd ARMv5"
date = "2017-12-31"
strings:
$hexsts01 = { f0 4f 2d e9 1e db 4d e2 ec d0 4d e2 01 40 a0 e1 } // main
$hexsts02 = { f0 45 2d e9 0b db 4d e2 04 d0 4d e2 3c 01 9f e5 } // self-rclocal
$hexsts03 = { f0 45 2d e9 01 db 4d e2 04 d0 4d e2 bc 01 9f e5 } // copy-self
condition:
all of them
and is__elf
and is__LinuxHttpsdStrings
and filesize < 200KB
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System update or package installation using yum or dnf
Filter/Exclusion: process.name != "yum" && process.name != "dnf"
Scenario: Scheduled job running Apache HTTP Server (httpd) service management
Filter/Exclusion: process.name != "systemd" || process.args != "start" || process.args != "stop"
Scenario: Admin manually checking Apache HTTP Server status using httpd command
Filter/Exclusion: process.name != "httpd" || process.args != "-t"
Scenario: Logrotate utility running to manage Apache HTTP Server logs
Filter/Exclusion: process.name != "logrotate" || process.args != "/etc/logrotate.d/httpd"
Scenario: Security tool or SIEM agent running on ARMv5 architecture
Filter/Exclusion: process.name != "splunk" || process.name != "osquery" || process.name != "syslog-ng"