The detection rule identifies potential malicious activity involving a specific MD5 hash, which may indicate the presence of unknown or custom malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy, low-severity threats that could evade traditional detection methods.
YARA Rule
rule md5_fd141197c89d27b30821f3de8627ac38 {
strings: $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'"
condition: any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A legitimate system update or patch deployment using WSUS (Windows Server Update Services)
Filter/Exclusion: Check for the presence of wsus or update in the file path, or filter by file hashes known to be associated with WSUS updates.
Scenario: A scheduled PowerShell script running as part of a routine system maintenance task
Filter/Exclusion: Filter events where the process name is powershell.exe and the command line includes known maintenance scripts or paths containing maintenance or script.
Scenario: A backup job using Veeam Backup & Replication that temporarily creates files with the same MD5 hash
Filter/Exclusion: Exclude files created within the backup directory or filter by file names containing backup, vm, or snapshot.
Scenario: A software installation using Chocolatey or Ninite that generates temporary files with the same hash
Filter/Exclusion: Exclude files located in temporary directories (e.g., C:\Users\*\AppData\Local\Temp) or filter by process names like choco.exe or ninite.exe.
Scenario: A log file rotation process using Logrotate on a Linux server that creates temporary files with the same MD5 hash
Filter/Exclusion: Filter files in log directories (e.g., /var/log/) or check for the presence of logrotate in the process name or command line.