The rule detects potential malicious activity associated with the MD5 hash e03b5df1fa070675da8b6340ff4a67c2, which may indicate the presence of known or emerging threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early, especially given the low severity threshold which may mask sophisticated or stealthy adversaries.
YARA Rule
rule md5_e03b5df1fa070675da8b6340ff4a67c2 {
strings:
$ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/
$ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude files with the md5_e03b5df1fa070675da8b6340ff4a67c2 hash that are located in backup directories (e.g., C:\ProgramData\Veeam\Backup).
Scenario: Microsoft Windows Update process
Filter/Exclusion: Exclude files with the specified hash that are found in the C:\Windows\SoftwareDistribution directory or during the execution of wuauclt.exe.
Scenario: Legitimate software installation via SCCM (System Center Configuration Manager)
Filter/Exclusion: Exclude files with the hash from SCCM installation packages, typically found in C:\Windows\Temp or C:\Program Files\Microsoft Configuration Manager.
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: Exclude the hash if the file is associated with PowerShell scripts used by administrators, such as those in C:\Windows\System32\WindowsPowerShell\v1.0 or C:\Users\Administrator\Documents\Scripts.
Scenario: Antivirus signature update process
Filter/Exclusion: Exclude files with the hash that are part of antivirus signature updates, commonly found in directories like C:\Program Files\Windows Defender or C:\Program Files\Bitdefender.