The LinuxBillGates rule detects potential adversary behavior involving the use of a custom or obfuscated binary that mimics a legitimate Linux process, often used for persistence or execution of malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy malware that evades traditional detection methods.
YARA Rule
rule LinuxBillGates
{
meta:
Author = "@benkow_"
Date = "2014/08/11"
Description = "Strings inside"
Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
strings:
$a= "12CUpdateGates"
$b= "11CUpdateBill"
condition:
$a and $b
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using rsync to back up user home directories to a remote server.
Filter/Exclusion: Check for rsync in the command line and ensure the destination is a known backup server or directory.
Scenario: A scheduled job runs logrotate to manage log files, which temporarily creates files with names similar to malicious patterns.
Filter/Exclusion: Filter out processes associated with logrotate or check for the presence of /usr/sbin/logrotate in the process tree.
Scenario: A developer is using git to clone a repository, and the cloned directory contains files with names that match the YARA rule.
Filter/Exclusion: Exclude processes related to git or check for the presence of .git directories in the file paths.
Scenario: A system update via apt or yum temporarily creates temporary files with names that match the rule.
Filter/Exclusion: Filter out processes associated with package managers like apt or yum, or check for presence of /var/cache/apt or /var/cache/yum in the file path.
Scenario: A DevOps engineer is using Ansible to deploy configuration files, and the playbook includes files with names that trigger the rule.
Filter/Exclusion: Exclude processes related to ansible or check for the presence of Ansible inventory files or playbook directories.