LuckyCat code tricks

Hunt Hypothesis

Adversaries may use obfuscated or encoded payloads in Azure environments to evade basic detection, leveraging code tricks to execute malicious commands without triggering standard security controls. SOC teams should proactively hunt for these patterns to identify potential stealthy attacks that bypass traditional detection mechanisms.

YARA Rule

rule LuckyCatCode : LuckyCat Family 
{
    meta:
        description = "LuckyCat code tricks"
        author = "Seth Hardy"
        last_modified = "2014-06-19"
        
    strings:
        $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
        $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
        $commonletters = { B? 63 B? 61 B? 73 B? 65 }
        
    condition:
        $xordecrypt or ($dll and $commonletters)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Job Using luckyCat for Log Parsing
  Description: A system administrator schedules a daily job using luckyCat (a log parsing tool) to process and analyze system logs.
  Filter/Exclusion: process.name != "luckyCat" OR process.parent.name == "crontab" OR file.path contains "log_parser"

• Scenario: Admin Task to Validate luckyCat Configuration
  Description: A security admin manually runs luckyCat to verify its configuration settings during a routine audit.
  Filter/Exclusion: user.name == "security_admin" OR process.parent.name == "bash" OR file.path contains "config_validation"

• Scenario: DevOps Pipeline Using luckyCat for CI/CD Artifact Analysis
  Description: A DevOps team uses luckyCat as part of a CI/CD pipeline to analyze build artifacts for security compliance.
  Filter/Exclusion: process.parent.name == "jenkins" OR file.path contains "ci_cd_pipeline" OR user.group == "devops"

• Scenario: Legacy System Maintenance Using luckyCat for Data Migration
  Description: An IT team uses luckyCat to migrate data from an old system to a new one during a planned maintenance window.
  Filter/Exclusion: process.parent.name == "systemd" OR file.path contains "data_migration" OR user.group == "it_ops"

• Scenario: Security Tool Integration with luckyCat for Threat Intelligence
  Description: A threat intelligence tool integrates with luckyCat to enrich logs with additional context from external sources.
  Filter/Exclusion: process.parent.name == "threat_intel_tool" OR file.path contains "ti_integration" OR