Identify Madness Pro DDoS Malware

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Madness Pro DDoS malware activity by monitoring for suspicious network traffic patterns indicative of distributed denial-of-service attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate emerging DDoS threats before they cause significant service disruptions.

YARA Rule

rule Madness : DoS {
    meta:
        author = "Jason Jones <[email protected]>"
        date = "2014-01-15"
        description = "Identify Madness Pro DDoS Malware"
        source = "https://github.com/arbor/yara/blob/master/madness.yara"
    strings:
        $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
        $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
        $str1= "document.cookie=" fullword
        $str2 = "[\"cookie\",\"" fullword
        $str3 = "\"realauth=" fullword
        $str4 = "\"location\"];" fullword
        $str5 = "d3Rm" fullword
        $str6 = "ZXhl" fullword
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled system maintenance using task scheduler
  Filter/Exclusion: Exclude processes initiated by Task Scheduler with a known maintenance task name (e.g., SystemMaintenanceTask).

• Scenario: Admin using PowerShell for network configuration updates
  Filter/Exclusion: Exclude PowerShell scripts executed by a known admin user (e.g., Administrator) with a specific script path (e.g., C:\Scripts\NetworkConfig.ps1).

• Scenario: Regular backup job using Veeam Backup & Replication
  Filter/Exclusion: Exclude processes associated with Veeam Backup (e.g., VeeamBackup.exe) running during scheduled backup windows.

• Scenario: System update via Windows Update or WSUS
  Filter/Exclusion: Exclude processes initiated by wuauclt.exe or WsusServer.exe during known update windows.

• Scenario: Database replication or sync job using SQL Server Agent
  Filter/Exclusion: Exclude SQL Server Agent jobs (e.g., sqlagent.exe) with known job names (e.g., DBReplicationJob) running during scheduled sync times.