Adversaries may use specific strings to identify or communicate with command-and-control servers, which could indicate initial compromise or persistent presence. SOC teams should proactively hunt for these strings in Azure Sentinel to detect potential C2 activity early and prevent further lateral movement.
YARA Rule
rule MongalStrings
{
meta:
description = "Mongal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-15"
strings:
$ = "NSCortr.dll"
$ = "NSCortr1.dll"
$ = "Sina.exe"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackup
Example Filter: process.name != "veeam" or process.name != "VeeamBackup"
Scenario: System update via Windows Update
Filter/Exclusion: Exclude processes related to wuauclt.exe or WindowsUpdate
Example Filter: process.name != "wuauclt.exe"
Scenario: Log file parsing using ELK Stack (Logstash)
Filter/Exclusion: Exclude processes related to logstash or logstash-agent
Example Filter: process.name != "logstash"
Scenario: Admin task using PowerShell to manage user accounts
Filter/Exclusion: Exclude PowerShell scripts or commands related to user management
Example Filter: process.name != "powershell.exe" or use a command-line argument filter like process.args != "user", process.args != "add", etc.
Scenario: Database maintenance task using SQL Server Agent Job
Filter/Exclusion: Exclude processes related to sqlservr.exe or sqlagent
Example Filter: process.name != "sqlservr.exe" or process.name != "sqlagent"