The Naikon rule detects potential adversary behavior involving suspicious file execution or persistence mechanisms that may indicate a low-severity threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe incidents.
YARA Rule
rule Naikon : Family
{
meta:
description = "Naikon"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
NaikonCode or NaikonStrings
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system maintenance using Windows Task Scheduler
Filter/Exclusion: Check for Task Scheduler process names or command-line arguments containing schtasks or Task Scheduler in the event log or process tree.
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Filter events where the process name includes ansible and the command line contains --tags or --playbook with known configuration management tasks.
Scenario: PowerShell script running a routine system cleanup
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes Cleanup-System or similar named scripts, or where the user is a system admin running scheduled tasks.
Scenario: SQL Server Agent Job performing routine database maintenance
Filter/Exclusion: Filter events where the process name includes sqlagent.exe or the command line contains SQLServerAgent and the job name matches known maintenance jobs.
Scenario: Docker container startup or health check
Filter/Exclusion: Exclude events where the process name includes docker or containerd and the command line contains --health or --name with known container names.