new keyboy header codes

Hunt Hypothesis

The detection rule identifies potential adversarial activity through unusual HTTP header codes, which may indicate obfuscation or evasion tactics used by attackers to bypass standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy network communication that could signal early-stage compromise or data exfiltration attempts.

YARA Rule

rule new_keyboy_header_codes
{

    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Matches the 2016 sample's header codes"
        date = "2016-08-28"
        md5 = "495adb1b9777002ecfe22aaf52fcee93"

    strings:
        $s1 = "*l*" wide fullword
        $s2 = "*a*" wide fullword
        $s3 = "*s*" wide fullword
        $s4 = "*d*" wide fullword
        $s5 = "*f*" wide fullword
        $s6 = "*g*" wide fullword
        $s7 = "*h*" wide fullword

    condition:
        //MZ header //PE signature
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system update or patching tool (e.g., Windows Update, SCCM) generates temporary files with header codes that match the YARA rule.
  Filter/Exclusion: Check for file paths containing known update directories (e.g., C:\Windows\Temp, C:\ProgramData\Microsoft\Windows\Update) or use a file path filter to exclude system update directories.

• Scenario: A backup or archive tool (e.g., Veeam, Acronis) creates temporary files during the backup process that include header codes matching the rule.
  Filter/Exclusion: Exclude files with extensions like .tmp, .bkp, .vbk, or from known backup directories (e.g., C:\Backup, D:\VeeamBackup).

• Scenario: A scheduled system cleanup or disk defragmentation task (e.g., cleanmgr.exe, defrag.exe) generates temporary files with header codes that trigger the rule.
  Filter/Exclusion: Exclude files created within a specific time window (e.g., during system maintenance hours) or filter by process name (cleanmgr.exe, defrag.exe).

• Scenario: A legitimate software installation (e.g., Adobe Acrobat, Microsoft Office) creates temporary files during installation that include header codes matching the rule.
  Filter/Exclusion: Exclude files created by known installers or from installation directories (e.g., C:\Users\Public\Downloads, C:\Program Files\Adobe).

• Scenario: A security tool (e.g., ESET, Bitdefender) generates temporary files during a scan or quarantine process that include header codes matching the rule.
  Filter/Exclusion: Exclude files with known security tool signatures or from quarantine directories (e.g., C:\ProgramData\ESET, C:\ProgramData\Bitdefender).