The rule detects the presence of a specific MD5 hash associated with potentially malicious code, indicating possible adversary activity involving file execution or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule md5_825a3b2a6abbe6abcdeda64a73416b3d {
/*
// $ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0 = gethostbyname($_SERVER["SERVER_NAME"]);
// if(!oo00o0OOo0o00O("fsockopen"))
// strings: $ = "$ooooo00oo0000oo0"
*/
strings: $ = /[o0O]{3}\("fsockopen"\)/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system update using Microsoft Update
Filter/Exclusion: Exclude files signed by Microsoft with SHA256 hash matching known update packages
Example: file.hash.sha256 == "a1b2c3d4e5f67890..." or file.signer == "Microsoft Corporation"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude files with process name veeam.exe or vbackup.exe
Example: process.name == "veeam.exe"
Scenario: Admin task using PowerShell for log cleanup
Filter/Exclusion: Exclude PowerShell scripts executed by PowerShell.exe with log or clean in the command line
Example: process.name == "PowerShell.exe" && command_line contains "log" or "clean"
Scenario: Antivirus signature update using Bitdefender
Filter/Exclusion: Exclude files with process name bdagent.exe or bdupdater.exe
Example: process.name == "bdagent.exe"
Scenario: Database backup using MySQL scheduled task
Filter/Exclusion: Exclude files with process name mysqldump.exe or mysql.exe
Example: process.name == "mysqldump.exe"