Mongal

Hunt Hypothesis

The Mongal rule detects potential adversary behavior involving unusual command and control communication patterns that may indicate a compromised host or exfiltration activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe breaches.

YARA Rule

rule Mongal 
{
    
    meta:
        description = "Mongal"
        author = "Seth Hardy"
        last_modified = "2014-07-15"
        
    condition:
        MongalCode or MongalStrings
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs mongod for database backups or configuration updates.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler or with a command line containing --backup or --config.

• Scenario: MongoDB Replica Set Configuration
  Description: A MongoDB replica set is being configured or reconfigured, which may trigger the detection logic due to normal configuration changes.
  Filter/Exclusion: Exclude processes with command lines containing --replSet or --replicaSet.

• Scenario: Admin User Performing MongoDB Management
  Description: An admin user is using the MongoDB shell (mongo) to perform administrative tasks like user management, role assignments, or database migrations.
  Filter/Exclusion: Exclude processes initiated by admin users (e.g., user = admin) or with command lines containing use admin or db.createUser().

• Scenario: MongoDB Monitoring Tool Integration
  Description: A third-party monitoring tool (e.g., Datadog, New Relic, or Prometheus) is connecting to MongoDB to collect metrics, which may trigger the detection logic.
  Filter/Exclusion: Exclude connections from known monitoring IPs or processes with command lines containing --monitor or --metrics.

• Scenario: MongoDB Sharding Operation
  Description: A MongoDB sharding operation is being performed, which involves moving chunks or rebalancing shards, and may trigger the detection logic.
  Filter/Exclusion: Exclude processes with command lines containing --sharding or reshard.