Adversaries may attempt to establish initial command and control by initiating incoming network communication, which could indicate the early stages of a compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential threats before they escalate and exfiltrate data or move laterally within the network.
YARA Rule
rule network_tcp_listen {
meta:
author = "x0r"
description = "Listen for incoming communication"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "Mswsock.dll" nocase
$f3 = "System.Net" nocase
$f4 = "wsock32.dll" nocase
$c1 = "bind"
$c2 = "accept"
$c3 = "GetAcceptExSockaddrs"
$c4 = "AcceptEx"
$c5 = "WSAStartup"
$c6 = "WSAAccept"
$c7 = "WSASocket"
$c8 = "TcpListener"
$c9 = "AcceptTcpClient"
$c10 = "listen"
condition:
1 of ($f*) and 2 of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: System update via Windows Server Update Services (WSUS)
Filter/Exclusion: Check the destination IP against known WSUS servers in the organization’s network and filter traffic to/from the WSUS server IP.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude traffic to/from the Veeam backup server IP and any known backup client IPs within the internal network.
Scenario: Remote management via Microsoft Remote Desktop Services (RDS)
Filter/Exclusion: Filter traffic to the RDP port (3389) only for known RDS servers and exclude internal RDP traffic between trusted hosts.
Scenario: Patch management via SCCM (System Center Configuration Manager)
Filter/Exclusion: Exclude traffic to the SCCM distribution point IP and filter based on known SCCM communication ports (e.g., 80, 443, 8080).
Scenario: Database replication between SQL Server instances
Filter/Exclusion: Exclude traffic between SQL Server instances within the same domain and filter based on SQL Server replication ports (e.g., 1433, 1434).