Network Win7AMD64

Hunt Hypothesis

The hypothesis is that the detected behavior indicates an adversary leveraging a Windows 7 AMD64-specific network tool to establish covert communication or exfiltrate data. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities targeting older, less secure Windows environments.

YARA Rule

rule Network_Win7AMD64 {
    meta:
        author = "Jaume Martin"
    condition:
        hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance task using schtasks.exe
  Filter/Exclusion: process.parent_process == "svchost.exe" && process.name == "schtasks.exe" && process.command_line contains "schtasks /run"

• Scenario: Legitimate network discovery using nmap on a Windows 7 machine
  Filter/Exclusion: process.name == "nmap.exe" && process.command_line contains "/sV" && process.parent_process == "explorer.exe"

• Scenario: Windows Update installation via wuauclt.exe
  Filter/Exclusion: process.name == "wuauclt.exe" && process.command_line contains "detectnow" && process.parent_process == "services.exe"

• Scenario: Administrative task using taskmgr.exe to monitor network activity
  Filter/Exclusion: process.name == "taskmgr.exe" && process.parent_process == "explorer.exe" && process.command_line contains "/m"

• Scenario: Antivirus scan using msseces.exe (Microsoft Security Essentials)
  Filter/Exclusion: process.name == "msseces.exe" && process.parent_process == "services.exe" && process.command_line contains "Scan"