The Linux.Helios detection rule identifies potential adversary behavior involving unauthorized access and data exfiltration through compromised Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage persistent threats that may evade traditional detection methods.
YARA Rule
rule LinuxHelios: MALW
{
meta:
description = "Linux.Helios"
author = "Joan Soriano / @w0lfvan"
date = "2017-10-19"
version = "1.0"
MD5 = "1a35193f3761662a9a1bd38b66327f49"
SHA256 = "72c2e804f185bef777e854fe86cff3e86f00290f32ae8b3cb56deedf201f1719"
strings:
$a = "LIKE A GOD!!! IP:%s User:%s Pass:%s"
$b = "smack"
$c = "PEACE OUT IMMA DUP\n"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System backup using rsync or tar
Filter/Exclusion: Check for presence of /usr/bin/rsync or /bin/tar in the command line, or filter by process names associated with backup tools.
Scenario: Scheduled system maintenance via cron or systemd timers
Filter/Exclusion: Filter processes that match known cron or systemd job names, such as cron, systemd-timedated, or systemd-journald.
Scenario: Log rotation using logrotate
Filter/Exclusion: Include checks for /etc/logrotate.conf or /usr/sbin/logrotate in the command line, or filter by process names associated with log rotation.
Scenario: Admin task using yum or apt for package management
Filter/Exclusion: Filter processes that include yum or apt in the command line, or check for known package manager directories like /var/log/yum or /var/log/apt.
Scenario: Security tool or EDR agent performing routine checks
Filter/Exclusion: Exclude processes associated with known security tools (e.g., osquery, CrowdStrike, SentinelOne) or check for presence of their respective configuration directories.