The detection rule identifies potential malicious activity associated with the MD5 hash 24f2df1b9d49cfb02d8954b08dba471f, which may indicate the presence of known or emerging threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early, especially given the low severity threshold which may mask more sophisticated attacks.
YARA Rule
rule md5_24f2df1b9d49cfb02d8954b08dba471f {
strings: $ = "))unlink('../media/catalog/category/'.basename($"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate software update using msiexec.exe
Filter/Exclusion: Check for msiexec.exe with command line arguments containing /i (install) and a known valid MSI file hash.
Example Filter: process.exe == "msiexec.exe" and process.args contains "/i" and file.hash.md5 == "known_valid_hash"
Scenario: Scheduled system backup using wbadmin.exe
Filter/Exclusion: Filter events where wbadmin.exe is executed with the /backup flag and the backup path is a known system directory (e.g., C:\Windows\Temp).
Example Filter: process.exe == "wbadmin.exe" and process.args contains "/backup" and process.cwd contains "C:\Windows\Temp"
Scenario: Antivirus signature update using msmpeng.exe
Filter/Exclusion: Exclude processes initiated by msmpeng.exe that are part of a scheduled Microsoft Defender signature update.
Example Filter: process.exe == "msmpeng.exe" and process.parent.exe == "svchost.exe" and process.parent.args contains "RpcSs"
Scenario: Log file parsing using logparser.exe
Filter/Exclusion: Exclude instances where logparser.exe is used to parse system or application logs (e.g., C:\Windows\System32\logfiles).
Example Filter: process.exe == "logparser.exe" and process.args contains "C:\\Windows\\System32\\logfiles"
Scenario: Disk imaging using dd.exe or robocopy.exe
Filter/Exclusion: Exclude processes where dd.exe or robocopy.exe is used for legitimate disk imaging or data migration tasks.
Example Filter: `process.exe in (”