The detection rule identifies potential malicious activity by matching a known malicious MD5 hash, which may indicate the presence of a threat actor deploying malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage compromises that may evade traditional detection methods.
YARA Rule
rule md5_0b1bfb0bdc7e017baccd05c6af6943ea {
/*
eval(hnsqqh($llmkuhieq, $dbnlftqgr));?>
eval(vW91692($v7U7N9K, $v5N9NGE));?>
*/
strings: $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Windows Update installation
Description: A legitimate Windows Update process may trigger the rule due to the presence of the MD5 hash in a system file or update package.
Filter/Exclusion: Exclude processes related to wuauclt.exe or svchost.exe with command lines containing wuau or Windows Update.
Scenario: Scheduled System File Check (sfc /scannow)
Description: The System File Checker tool may use files with this MD5 hash during a disk scan, leading to a false positive.
Filter/Exclusion: Exclude processes with sfc.exe or msconfig.exe running with the /scannow or /verifyonly command-line arguments.
Scenario: Microsoft Defender Antivirus scan
Description: Microsoft Defender may temporarily use files with this MD5 hash during a full system scan or signature update.
Filter/Exclusion: Exclude processes with MsMpEng.exe or mpsvc.exe associated with Microsoft Defender.
Scenario: PowerShell script execution for log analysis
Description: A legitimate PowerShell script used for log parsing or system monitoring may include a file with this MD5 hash as part of its operation.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -File or -Command and the script path is known to be internal or trusted.
Scenario: Backup or synchronization job using a known tool
Description: A backup tool like Veeam, Acronis, or rsync may include files with this MD5 hash during a data transfer or synchronization task.
Filter/Exclusion: Exclude processes related to backup tools (e.g., veeam.exe, acronis.exe, rsync.exe) or those running under a known backup service account.