The detection identifies potential adversary activity associated with the Hacktool:Win32/EMVSoft malware, specifically the installation of the MacGyver.cap component, which may indicate initial compromise or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate to data exfiltration or lateral movement.
YARA Rule
rule MacGyverCapInstaller : MacGyvercap Installer
{
meta:
description = "Generic rule for Hacktool:Win32/EMVSoft who install MacGyver.cap"
author = "[email protected]"
date = "2021-05-11"
reference = "https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf"
// May only the challenge guide you
hash1 = "bb828eb0bbebabbcb51f490f4a0c08dd798b1f350dddddb6c00abcb6f750069f"
hash2 = "04f0c9904675c7cf80ff1962bec5ef465ccf8c29e668f3158ec262414a6cc6eb"
hash3 = "7335cd56a9ac08c200cca7e25b939e9c4ffa4d508207e68bee01904bf20a6528"
hash4 = "af542ccb415647dbd80df902858a3d150a85f37992a35f29999eed76ac01a12b"
hash5 = "247484124f4879bfacaae73ea32267e2c1e89773986df70a5f3456b1fb944c58"
hash6 = "1cc8a2f3ce12f4b8356bda8b4aaf61d510d1078112af1c14cf4583090e062fbe"
hash7 = "c23411deeec790e2dba37f4c49c7ecac3c867b7012431c9281ed748519eda65c"
hash8 = "c0d11ed2eed0fef8d2f53920a1e12f667e03eafdb2d2941473d120e9e6f0e657"
hash9 = "1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08"
hash10 = "87678c6dcf0065ffc487a284b9f79bd8c0815c5c621fc92f83df24393bfcc660"
strings:
$string1 = "delete -AID 315041592e5359532e4444463031" ascii wide
$string2 = "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" ascii wide
$string3 = "-mac_key 404142434445464748494a4b4c4d4e4f" ascii wide
$string4 = "-enc_key 404142434445464748494a4b4c4d4e4f" ascii wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using Windows Task Scheduler to run a legitimate script that downloads and executes MacGyver.cap as part of a routine system diagnostic tool.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or processes with CommandLine containing schtasks.exe or schtasks /run.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment includes a file named MacGyver.cap as part of a legitimate software update or patch.
Filter/Exclusion: Exclude processes with ParentProcess or CommandLine containing wuauclt.exe, setup.exe, or Microsoft Intune related command lines.
Scenario: A Windows PowerShell script is used by a security team to simulate or test the behavior of MacGyver.cap during a red team exercise or security training.
Filter/Exclusion: Exclude processes with CommandLine containing powershell.exe and –ExecutionPolicy Bypass or –Command with known training/test scripts.
Scenario: A Windows Service or Scheduled Task is configured to run a legitimate application that includes a file named MacGyver.cap as part of its installation or configuration.
Filter/Exclusion: Exclude processes with ServiceName or ProcessName matching known services, or CommandLine containing installutil.exe or setup.exe.
Scenario: A Windows Defender or Microsoft Defender ATP scan temporarily creates or uses a file named MacGyver.cap as part of its internal testing or analysis processes.
Filter/Exclusion: Exclude processes with ParentProcess or CommandLine containing MsMpEng.exe, microsoft defender, or Windows Defender.