The hypothesis is that the detected MD5 hash corresponds to malicious code or a known exploit artifact, indicating potential adversary activity within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule md5_d201d61510f7889f1a47257d52b15fa2 {
strings: $ = "@eval(stripslashes($_REQUEST[q]));"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate software update using msiexec
Description: A scheduled task runs msiexec to install a legitimate software update, which may contain a file with the matching MD5 hash.
Filter/Exclusion: Exclude files executed via msiexec or files with ProcessName containing msiexec.exe.
Scenario: System backup using Veeam Backup & Replication
Description: A backup job creates temporary files with the same MD5 hash during the backup process.
Filter/Exclusion: Exclude files created by Veeam Backup & Replication or with ProcessName containing veeam.exe.
Scenario: Scheduled PowerShell script execution
Description: A PowerShell script (e.g., PSConfigurator.ps1) is run by a scheduled task and generates a file with the matching MD5 hash.
Filter/Exclusion: Exclude files created by PowerShell scripts or with ProcessName containing powershell.exe.
Scenario: Log file generation by Windows Event Log
Description: A system log file is generated by the Windows Event Log service, which may have a file with the same MD5 hash.
Filter/Exclusion: Exclude files with ProcessName containing eventlog.exe or files in the C:\Windows\System32\LogFiles directory.
Scenario: Temporary file created by Windows Update
Description: A temporary file is created during a Windows Update process, which may match the MD5 hash due to similar file structures.
Filter/Exclusion: Exclude files with ProcessName containing wuauclt.exe or files in the C:\Windows\SoftwareDistribution directory.