The Liudoor daemon backdoor is a low-severity persistence mechanism that adversaries may use to maintain long-term access to a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert channels and mitigate the risk of prolonged unauthorized access.
YARA Rule
rule liudoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: System update or patching process
Description: A legitimate system update or patching task may involve downloading and executing a file that matches the signature of the Liudoor daemon.
Filter/Exclusion: Check for process.name containing “update”, “patch”, or “installer” and filter out processes initiated by known update services (e.g., yum, apt, wsus, patchman).
Scenario: Scheduled backup or data synchronization job
Description: A scheduled job using tools like rsync, robocopy, or backup may involve transferring files that could be falsely flagged as Liudoor daemon components.
Filter/Exclusion: Filter events where process.name is rsync, robocopy, or backup, and check for destination.path matching known backup directories.
Scenario: Admin task involving file copying or deployment
Description: An administrator may manually copy or deploy files (e.g., using scp, copy, or xcopy) that could be mistaken for the Liudoor daemon.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., user.name = “admin”, “root”, or “svc_account”) and check for source.path or destination.path matching known deployment directories.
Scenario: Log file rotation or monitoring tool execution
Description: Tools like logrotate, splunk, or syslog-ng may execute scripts or processes that could be flagged as Liudoor daemon activity.
Filter/Exclusion: Filter events where process.name is logrotate, splunk, or syslog-ng, and check for file.path containing “log” or “rotate”.
Scenario: Antivirus or endpoint protection tool scan
Description: Antivirus tools like