The Mirage rule detects potential adversary behavior involving the use of legitimate Azure services to mask malicious activity, leveraging cloud infrastructure for persistence and exfiltration. SOC teams should proactively hunt for this behavior to identify and mitigate stealthy, long-term threats that evade traditional detection methods.
YARA Rule
rule Mirage
{
meta:
description = "Mirage"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
MirageStrings
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the source is Veeam Backup & Replication and the action is related to a scheduled backup job.
Scenario: Admin Performing Disk Cleanup via Windows Task Scheduler
Filter/Exclusion: Exclude events where the process name is cleanmgr.exe and the user is a domain admin with elevated privileges.
Scenario: Database Maintenance Job Using SQL Server Agent
Filter/Exclusion: Exclude events where the process is sqlservr.exe and the task is associated with a known SQL Server maintenance job.
Scenario: Log File Rotation via Logrotate on Linux
Filter/Exclusion: Exclude events where the process is logrotate and the file path matches a known log rotation target (e.g., /var/log/*.log).
Scenario: User-Initiated File Sync via Dropbox or OneDrive
Filter/Exclusion: Exclude events where the process is dropbox.exe or OneDrive.exe and the operation is related to syncing user files.