The hypothesis is that the detection rule identifies potential KeyBase (Kibex) adversary activity by monitoring for suspicious behavior associated with this threat group. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage reconnaissance or initial access attempts by KeyBase operatives.
YARA Rule
rule MALW_KeyBase
{
meta:
description = "Identifies KeyBase aka Kibex."
author = "@bartblaze"
date = "2019-02"
tlp = "White"
strings:
$s1 = " End:]" ascii wide
$s2 = "Keystrokes typed:" ascii wide
$s3 = "Machine Time:" ascii wide
$s4 = "Text:" ascii wide
$s5 = "Time:" ascii wide
$s6 = "Window title:" ascii wide
$x1 = "&application=" ascii wide
$x2 = "&clipboardtext=" ascii wide
$x3 = "&keystrokestyped=" ascii wide
$x4 = "&link=" ascii wide
$x5 = "&username=" ascii wide
$x6 = "&windowtitle=" ascii wide
$x7 = "=drowssap&" ascii wide
$x8 = "=emitenihcam&" ascii wide
condition:
uint16(0) == 0x5a4d and (
5 of ($s*) or 6 of ($x*) or
( 4 of ($s*) and 4 of ($x*) )
)
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.parent_process_name != "veeambackup" or process.command_line not contains "backup"
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: process.parent_process_name != "ansible" or process.command_line not contains "playbook"
Scenario: Windows Task Scheduler running a legitimate maintenance job
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line not contains "run"
Scenario: Docker container startup or service management
Filter/Exclusion: process.parent_process_name != "dockerd" or process.command_line not contains "run"
Scenario: PowerShell script execution for routine system monitoring
Filter/Exclusion: process.parent_process_name != "powershell.exe" or process.command_line not contains "monitor"