The hypothesis is that the detected behavior represents a potential malicious file execution through a known malicious MD5 hash, which may indicate the presence of malware or adversarial activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats that may evade traditional detection methods.
YARA Rule
rule md5_fb9e35bf367a106d18eb6aa0fe406437 {
strings: $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system update or patch installation using Windows Update or WSUS
Filter/Exclusion: Check if the file is signed by Microsoft or part of a known update package. Use a filter like process.parent_process == "svchost.exe" or file.hash.md5 != "fb9e35bf367a106d18eb6aa0fe406437" when the process is associated with update services.
Scenario: A legitimate backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Filter based on the process name, e.g., process.name == "veeambackup.exe" or process.name == "cvbackup.exe". Also, check the file path against known backup directories.
Scenario: A scheduled task running a script or executable for system maintenance, such as Task Scheduler executing a PowerShell script
Filter/Exclusion: Use a filter like process.name == "powershell.exe" with a check for the presence of a known legitimate script or command line arguments that match expected maintenance tasks.
Scenario: A software installation using Chocolatey or Ninite
Filter/Exclusion: Filter by process name such as choco.exe or ninite.exe, and verify the file path against known installation directories. Check if the file is part of a known package.
Scenario: A log file rotation or data archiving process using Logrotate or rsync
Filter/Exclusion: Filter based on process names like logrotate or rsync, and check the file path against known log directories or archive locations. Use file.path to exclude files in /var/log/ or /backup/ directories.