The RabbitStew32 rule detects potential adversary behavior involving the use of a custom or obfuscated payload, likely associated with a targeted attack vector. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule RabbitStew32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system maintenance using Task Scheduler
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: Running Windows Update or Group Policy refresh
Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "gupdate.exe"
Scenario: Executing PowerShell scripts for administrative tasks (e.g., user management, system configuration)
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains " -Command" or process.command_line contains " -File"
Scenario: Using Windows Defender Antivirus scan or Microsoft Defender for scheduled full system scans
Filter/Exclusion: process.name == "MsMpEng.exe" or process.name == "WindowsDefender.exe"
Scenario: Running Windows Event Log cleanup or log management tools like LogParser or Event Viewer
Filter/Exclusion: process.name == "logparser.exe" or process.name == "eventvwr.exe"