The hypothesis is that the detected MD5 hash corresponds to malicious code or artifacts associated with known threat actors, indicating potential compromise or lateral movement within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule md5_ab63230ee24a988a4a9245c2456e4874 {
strings: $ = "eval(gzinflate(base64_decode(str_rot13(strrev("
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system backup process using Veeam Backup & Replication generates temporary files with the MD5 hash ab63230ee24a988a4a9245c2456e4874 during compression.
Filter/Exclusion: Check for file paths containing veeam_backup or backup_temp in the file system.
Scenario: A Windows Task Scheduler job running PowerShell scripts for log rotation or data archiving creates temporary files with the same MD5 hash.
Filter/Exclusion: Filter events where the process name is powershell.exe and the command line includes logrotate or archive.
Scenario: A Docker container running a legitimate application (e.g., Nginx or MySQL) generates temporary files during runtime, which match the MD5 hash.
Filter/Exclusion: Check for container IDs or names associated with known services, or filter by file paths under /var/lib/docker/ or /tmp/.
Scenario: A Windows Update or Microsoft Intune deployment package temporarily stores files with the MD5 hash during installation.
Filter/Exclusion: Filter for file paths containing WindowsUpdate or intune and exclude files created by system update processes.
Scenario: A sysadmin manually runs a script using PowerShell or Batch files to perform system cleanup, which creates temporary files matching the hash.
Filter/Exclusion: Filter for user accounts with administrative privileges and exclude files created by scripts with known names or paths (e.g., cleanup_script.bat).