Detects Windows discovery commands - known from OilRig Campaign

Hunt Hypothesis

The detection of Windows discovery commands aligns with OilRig campaign tactics, indicating potential adversary reconnaissance within the network. SOC teams should proactively hunt for this behavior to identify early-stage compromise and prevent lateral movement in Azure Sentinel.

YARA Rule

rule OilRig_Campaign_Reconnaissance 
{

   meta:
      description = "Detects Windows discovery commands - known from OilRig Campaign"
      author = "Florian Roth"
      reference = "https://goo.gl/QMRZ8K"
      date = "2016-10-12"
      hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"

   strings:
      $s1 = "whoami & hostname & ipconfig /all" ascii
      $s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
      $s3 = "net group \"domain admins\" /domain 2>&1 & " ascii

   condition:
      ( filesize < 1KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/QMRZ8K
• Source Rule

False Positive Guidance

• Scenario: System File Checker (SFC) scan initiated by an admin
  Description: An administrator runs sfc /scannow as part of routine system maintenance.
  Filter/Exclusion: Check for sfc in the command line, or filter by process name svchost.exe with sfc in the command line.

• Scenario: Scheduled Task for Windows Update
  Description: A legitimate scheduled task runs wuauclt.exe to check for Windows updates.
  Filter/Exclusion: Filter by process name wuauclt.exe or check for wuauclt in the command line.

• Scenario: PowerShell script for system diagnostics
  Description: A system administrator runs a PowerShell script using Get-WmiObject or Get-Service to check system status.
  Filter/Exclusion: Filter by powershell.exe with Get-WmiObject or Get-Service in the command line.

• Scenario: Admin Task for Service Management
  Description: An admin uses services.msc or runs sc commands to manage services.
  Filter/Exclusion: Filter by services.exe or sc.exe in the command line, or check for known admin tasks in the command history.

• Scenario: Network Discovery via ipconfig or arp -a
  Description: A network administrator uses ipconfig or arp -a to troubleshoot network connectivity.
  Filter/Exclusion: Filter by ipconfig.exe or arp.exe in the command line, or check for network diagnostic tools in the command history.