The Lost Door rule detects potential adversary persistence by identifying unusual or unexpected access to system resources that may indicate a compromised or hidden backdoor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term access by adversaries.
YARA Rule
rule lost_door : Trojan
{
meta:
author="Kevin Falcoz"
date="23/02/2013"
description="Lost Door"
strings:
$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
condition:
$signature1
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes related to Veeam or vbr in the process name or command line.
Scenario: Scheduled maintenance task using PowerShell to update system certificates
Filter/Exclusion: Exclude processes with PowerShell.exe and command lines containing Update-Trust or certutil.
Scenario: Admin task using rsync for data synchronization between servers
Filter/Exclusion: Exclude processes with rsync in the command line and source/destination paths matching internal server IPs.
Scenario: Log collection using Splunk Universal Forwarder
Filter/Exclusion: Exclude processes with splunkforwarder in the process name and paths related to log directories.
Scenario: Automated patching using Windows Update or WSUS
Filter/Exclusion: Exclude processes with wusa.exe or wsusutil.exe in the process name or command line.