The detection rule identifies potential malicious activity associated with a specific MD5 hash, indicating possible exploitation of a known or unknown threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may not be detected by traditional methods.
YARA Rule
rule md5_28690a72362e021f65bb74eecc54255e {
strings: $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system update or patch deployment using WSUS (Windows Server Update Services)
Filter/Exclusion: Check the file path against known WSUS update directories (e.g., C:\Windows\SoftwareDistribution\) and exclude files with WSUS or update in their name.
Scenario: A scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude files with the .vib or .vbk extensions, or filter by process name veeambackup.exe and check for backup-related directories.
Scenario: A system integrity check using Sysinternals Process Explorer
Filter/Exclusion: Exclude processes with the ProcessExplorer.exe name and check for the presence of the Sysinternals directory in the file path.
Scenario: A legitimate log file generated by Microsoft Event Viewer or Windows Event Log
Filter/Exclusion: Exclude files with .evtx or .log extensions, or filter by file location such as C:\Windows\System32\winevt\Logs\.
Scenario: A user-initiated file download from a trusted source using Microsoft Edge or Chrome
Filter/Exclusion: Exclude files downloaded from known internal or trusted domains, or filter by process name msedge.exe or chrome.exe and check the download directory.