The Prikormka rule detects potential adversary behavior involving the use of a malicious YARA signature, which may indicate the presence of a known or emerging threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that may evade traditional detection methods.
YARA Rule
rule Prikormka
{
meta:
Author = "Anton Cherepanov"
Date = "2016/05/10"
Description = "Operation Groundbait"
Source = "https://github.com/eset/malware-ioc/"
Contact = "[email protected]"
License = "BSD 2-Clause"
condition:
PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Check for presence of veeam or backup in the process name or command line arguments.
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: Filter out processes related to wuauclt.exe or gupdate.exe or check for Microsoft in the process name.
Scenario: PowerShell script running as part of a routine system maintenance task (e.g., log cleanup)
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes Cleanup-Log or similar maintenance commands.
Scenario: Ansible or Chef automation job executing configuration management tasks
Filter/Exclusion: Check for presence of ansible or chef-client in the process name or command line.
Scenario: SQL Server Agent Job performing routine database maintenance
Filter/Exclusion: Filter out processes associated with sqlservr.exe or sqlagent.exe and check for known SQL maintenance tasks.