The detection rule identifies potential malicious activity by matching a specific MD5 hash associated with known malicious artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule md5_64651cede2467fdeb1b3b7e6ff3f81cb {
strings: $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system backup process using Veeam Backup & Replication generates temporary files with the MD5 hash 64651cede2467fdeb1b3b7e6ff3f81cb during compression or transfer.
Filter/Exclusion: Exclude files created by Veeam Backup & Replication or filter based on process name veeambackup.exe.
Scenario: A Windows Task Scheduler job runs a PowerShell script that uses a known hash for a legitimate module (e.g., Microsoft.PowerShell.Utility).
Filter/Exclusion: Exclude files executed by schtasks.exe or filter based on the presence of powershell.exe in the process tree.
Scenario: A Docker container running a known application (e.g., Nginx) includes a file with the same MD5 hash due to a shared library or dependency.
Filter/Exclusion: Exclude files within Docker containers or filter based on the presence of docker in the process name or container ID.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment includes a file with the MD5 hash as part of a legitimate patch or policy file.
Filter/Exclusion: Exclude files associated with wuauclt.exe, setup.exe, or Microsoft Endpoint Manager processes.
Scenario: A scheduled PowerShell script used for log management (e.g., LogParser) generates a temporary file with the same MD5 hash during processing.
Filter/Exclusion: Exclude files created by powershell.exe with specific command-line arguments or script paths associated with log management tools.