new keyboy export

Hunt Hypothesis

Adversaries may be exfiltrating sensitive data using a custom export technique associated with the new_keyboy tool, indicating potential data theft or reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage data exfiltration attempts by unknown threats.

YARA Rule

rule new_keyboy_export
{

    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Matches the new 2016 sample's export"
        date = "2016-08-28"
        md5 = "495adb1b9777002ecfe22aaf52fcee93"

    condition:
        //MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block.
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("cfsUpdate")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is exporting user data for a compliance audit using the Microsoft Export User Data tool.
  Filter/Exclusion: Check for the presence of Export-User or Export-ADUser PowerShell cmdlets in the process command line.

• Scenario: A scheduled job runs a PowerShell script that exports user credentials for backup purposes using the Export-Clixml or Export-Csv cmdlets.
  Filter/Exclusion: Filter out processes initiated by the Task Scheduler with a known job name or GUID.

• Scenario: A third-party application (e.g., Microsoft Intune or Azure AD Connect) performs a routine export of user attributes during synchronization.
  Filter/Exclusion: Exclude processes associated with known service accounts or specific application names like AzureADConnect.exe.

• Scenario: A developer is using PowerShell to export configuration data from a Windows Server for documentation purposes.
  Filter/Exclusion: Filter by process names like powershell.exe and check for presence of known developer tools or environment variables.

• Scenario: A backup tool such as Veeam or Commvault exports user data as part of its backup process.
  Filter/Exclusion: Exclude processes with known backup tool names or check for the presence of backup-related command-line arguments.