Adversaries may use UDP-based communications to exfiltrate data or establish covert command-and-control channels, which can evade traditional network monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that may not be detected by standard monitoring tools.
YARA Rule
rule network_udp_sock {
meta:
author = "x0r"
description = "Communications over UDP network"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "System.Net" nocase
$f3 = "wsock32.dll" nocase
$c0 = "WSAStartup"
$c1 = "sendto"
$c2 = "recvfrom"
$c3 = "WSASendTo"
$c4 = "WSARecvFrom"
$c5 = "UdpClient"
condition:
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled system updates using wsusoffline
Filter/Exclusion: Exclude traffic from the wsusoffline tool’s known IP ranges or specific ports used during update transfers.
Scenario: Internal DNS queries using nslookup or dig
Filter/Exclusion: Exclude UDP traffic to internal DNS servers (e.g., 10.0.0.1) on port 53.
Scenario: Network discovery via nmap using UDP scan mode
Filter/Exclusion: Exclude traffic from nmap scans targeting internal hosts, identified by known nmap scan signatures or source IP ranges.
Scenario: Printer spooler communication using UDP for broadcast discovery
Filter/Exclusion: Exclude UDP traffic on port 9100 or related to printer discovery services like lpd or ipp.
Scenario: Real-time data synchronization using rsync over UDP (rare but possible in custom setups)
Filter/Exclusion: Exclude traffic from known rsync UDP ports or specific source/destination IP pairs used in internal sync jobs.