The detection rule identifies potential malicious activity through the presence of a specific MD5 hash, which may indicate the use of known or emerging malicious artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats early, especially given the low severity rating which may mask a more sophisticated attack.
YARA Rule
rule md5_4b69af81b89ba444204680d506a8e0a1 {
strings: $ = "** Scam Redirector"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system update or patch installation using Windows Update or WSUS
Filter/Exclusion: Check for the presence of WindowsUpdate or wsus in the process name or command line, or filter by file paths like C:\Windows\Update\ or C:\Windows\SoftwareDistribution\
Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Filter by process names like VeeamBackup.exe, cvbackup.exe, or check for backup-related directories such as C:\ProgramData\Veeam\ or C:\ProgramData\Commvault\
Scenario: An admin task involving PowerShell scripting for system configuration or compliance checks
Filter/Exclusion: Filter by process name powershell.exe and check for known admin scripts or use a regex to exclude common PowerShell administrative commands
Scenario: A legitimate software installation using Chocolatey or Scoop package managers
Filter/Exclusion: Filter by process names like choco.exe or scoop.exe, or check for installation paths such as C:\ProgramData\chocolatey\ or C:\Users\Public\scoop\
Scenario: A routine log file rotation or cleanup task using LogParser or PowerShell logging utilities
Filter/Exclusion: Filter by process names like logparser.exe or powershell.exe with specific command-line arguments related to log management, or check for known log directories like C:\Windows\System32\LogFiles\