The hypothesis is that the detected MD5 hash corresponds to malicious code or artifacts associated with a known threat actor or campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement or data exfiltration risks.
YARA Rule
rule md5_d30b23d1224438518d18e90c218d7c8b {
strings: $ = "attribute_code=0x70617373776f72645f68617368"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system update or patch installation using Windows Update or WSUS that includes a file with the matching MD5 hash.
Filter/Exclusion: Check the file path against known update directories (e.g., C:\Windows\SoftwareDistribution, C:\Windows\Temp). Use a filter like:
file.path != "C:\Windows\*" and file.path != "C:\Program Files\*"Scenario: A legitimate backup job using Veeam, Commvault, or Veritas NetBackup that temporarily stores or processes files with the matching MD5 hash during the backup process.
Filter/Exclusion: Exclude files associated with backup processes by checking the process name or file path:
process.name != "VeeamBackup.exe" and file.path != "C:\Program Files\Veritas\*"Scenario: A scheduled task using Task Scheduler that runs a legitimate script or executable with the matching MD5 hash, such as a daily log cleanup or report generation.
Filter/Exclusion: Exclude tasks that are known to be scheduled by administrators, such as those in the Microsoft or System task folders:
process.name != "schtasks.exe" or task.folder != "Microsoft" and task.folder != "System"Scenario: A third-party application like Docker, Kubernetes, or Ansible that includes a file with the matching MD5 hash as part of its runtime or configuration.
Filter/Exclusion: Exclude files associated with containerized applications or orchestration tools:
file.path != "C:\Program Files\Docker\*" and file.path != "C:\Program Files\Kubernetes\*