The detection rule identifies potential malicious activity associated with a specific MD5 hash, which may indicate the presence of unknown or evolving threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced threats that may not be captured by traditional detection methods.
YARA Rule
rule md5_0105d05660329704bdb0ecd3fd3a473b {
/*
)){eval (${ $njap58}['q9e5e25' ])
) ) { eval ( ${$yed7 }['
*/
strings: $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system update using Microsoft Windows Update
Filter/Exclusion: process.name != "wuauclt.exe" or process.parent.name != "services.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name != "vmbackup.exe" or process.parent.name != "vmrun.exe"
Scenario: Admin task using PowerShell for log cleanup
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "services.exe"
Scenario: Antivirus scan using Kaspersky Endpoint Security
Filter/Exclusion: process.name != "kavsvc.exe" or process.parent.name != "services.exe"
Scenario: Log aggregation using Splunk Forwarder
Filter/Exclusion: process.name != "splunkforwarder.exe" or process.parent.name != "splunkforwarder.exe"