The detection rule identifies potential malicious activity through the presence of a specific MD5 hash, which may indicate the use of known malicious files or payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats that may not be detected by traditional methods.
YARA Rule
rule md5_6bf4910b01aa4f296e590b75a3d25642 {
strings: $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system update or patching tool (e.g., Windows Update, Chocolatey, or Ansible) generates a file with the MD5 hash 6bf4910b01aa4f296e590b75a3d25642 during a scheduled job.
Filter/Exclusion: Exclude files created by known update or configuration management tools, or filter based on process name (e.g., wuauclt.exe, choco.exe, ansible-playbook).
Scenario: A backup or synchronization tool (e.g., Veeam, rsync, or Syncthing) temporarily stores a file with the same MD5 hash during data transfer.
Filter/Exclusion: Exclude files associated with backup or sync processes, or filter based on directory paths (e.g., /backup/, /sync/, or C:\Backup\).
Scenario: A legitimate software installation or deployment task (e.g., using Puppet, Chef, or SCCM) creates a temporary file with the MD5 hash during setup.
Filter/Exclusion: Exclude files created during installation or deployment processes, or filter based on parent process names (e.g., puppet, chef-client, setup.exe).
Scenario: A legitimate log file or audit trail (e.g., from a SIEM tool like Splunk or ELK) is generated with a file that matches the MD5 hash.
Filter/Exclusion: Exclude files in known log directories (e.g., /var/log/, C:\ProgramData\Logs\) or filter based on file extensions (e.g., .log, .csv).
Scenario: A user or admin manually creates a file (e.g., a test file or a configuration file) with the same MD5 hash for troubleshooting or testing purposes