The detection rule identifies potential malicious activity associated with the MD5 hash 4adef02197f50b9cc6918aa06132b2f6, which may indicate the presence of unknown or evolving threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early, especially since the rule lacks MITRE technique mapping and requires further investigation.
YARA Rule
rule md5_4adef02197f50b9cc6918aa06132b2f6 {
/* { eval($cco37(${ $kasd1}[ 'n46b398' ] ) );} */
strings: $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system backup using Veeam Backup & Replication
Filter/Exclusion: Check for process parent or command line arguments containing veeam or backup to differentiate from malicious activity.
Scenario: Scheduled Windows Task Scheduler job running a known safe script with MD5 hash matching the rule
Filter/Exclusion: Filter by process name schtasks.exe or check for presence of Task Scheduler in the process tree.
Scenario: Ansible playbook execution that includes a known safe file with the same MD5 hash
Filter/Exclusion: Filter by process name ansible or check for presence of ansible-playbook in the command line.
Scenario: Docker image pull or container run that includes a base image with the same MD5 hash
Filter/Exclusion: Filter by process name docker or check for presence of docker pull or docker run in the command line.
Scenario: Windows Update or Group Policy deployment that includes a file with the same MD5 hash
Filter/Exclusion: Filter by process name wuauclt.exe or gupdate.exe or check for presence of Windows Update in the command line.