rule for lurk0

Hunt Hypothesis

The rule detects potential adversary persistence by monitoring unusual process creation events that may indicate a low-privilege foothold. SOC teams should proactively hunt for this behavior to identify early-stage compromise and prevent escalation in their Azure Sentinel environment.

YARA Rule

rule LURK0 : Family LURK0 {
	
	meta:
		description = "rule for lurk0"
		author = "Katie Kleemola"
		last_updated = "07-22-2014"

	condition:
		LURK0Header and SharedStrings

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that performs system updates or maintenance, which may trigger the rule due to similar process or file activity.
  Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "schtasks.exe"

• Scenario: Admin Performing Log File Analysis
  Description: An administrator is using a tool like LogParser or PowerShell to analyze log files, which may involve reading or writing to system directories.
  Filter/Exclusion: process.name == "logparser.exe" or process.name == "powershell.exe" and process.args contains "Get-EventLog"

• Scenario: Database Backup Job
  Description: A database backup tool like SQL Server Backup Utility or mysqldump is running a backup, which may involve file system activity that matches the rule.
  Filter/Exclusion: process.name == "sqlbackup.exe" or process.name == "mysqldump.exe"

• Scenario: Antivirus Scan or Endpoint Protection Update
  Description: Antivirus software like Kaspersky, Bitdefender, or Microsoft Defender performs a full system scan or updates its virus definitions, which can trigger suspicious file or process activity.
  Filter/Exclusion: process.name == "kavsvc.exe" or process.name == "mpsvc.exe" or process.name == "mfev.exe"

• Scenario: User Running a Legitimate Script for Data Migration
  Description: A user is running a script (e.g., using PowerShell or Python) to migrate data between systems, which may involve copying files or interacting with system directories.
  Filter/Exclusion: `process.name == “powershell.exe” and process.args contains ”