MiSType Backdoor Packed

Hunt Hypothesis

The MiSType Backdoor Packed rule detects potential malicious payloads that have been obfuscated or packed to evade basic detection mechanisms, indicating possible adversary use of packing techniques to deliver a backdoor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware delivery attempts that may bypass traditional detection methods.

YARA Rule

rule MiSType_Backdoor_Packed
{
    
    meta:
        author = "Cylance SPEAR Team"
        note = "Probably Prone to False Positive"

    strings:
        $upx = {33 2E 30 33 00 55 50 58 21}
        $send_httpquery = {00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00}
        $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A}
    
    condition:
        filesize < 100KB and $upx and $send_httpquery and $delphi_sec_pe
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled job that deploys a legitimate configuration update.
  Filter/Exclusion: Exclude files with a .ps1 extension or files executed via the schtasks command.

• Scenario: A developer is using Visual Studio to debug a .NET application, which generates temporary packed DLLs during the build process.
  Filter/Exclusion: Exclude files located in the project’s obj or bin directories, or files with a .dll extension generated by the build process.

• Scenario: A security tool like OSSEC is running a custom rule to monitor for suspicious activity, and it generates a temporary packed log file.
  Filter/Exclusion: Exclude files with a .log extension or files created by the OSSEC agent in its working directory.

• Scenario: A system update via WSUS (Windows Server Update Services) includes a packed update file that is unpacked during installation.
  Filter/Exclusion: Exclude files with a .msu or .cab extension associated with WSUS updates, or files located in the C:\Windows\SoftwareDistribution directory.

• Scenario: A DevOps pipeline uses Ansible to deploy a configuration file that is temporarily packed for secure transfer.
  Filter/Exclusion: Exclude files with a .tar.gz or .zip extension that are part of the Ansible playbook’s artifact transfer process.