The RabbitStew64 rule detects potential adversary behavior involving the use of a custom or obfuscated executable, which may be part of a multi-stage attack or persistence mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule RabbitStew64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system update or patching process using Windows Update or WSUS
Filter/Exclusion: Check for process.name containing wuauclt.exe or wsus in the command line arguments.
Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Filter by process.name containing veeam or commvault and check for known backup-related command-line arguments.
Scenario: A system administrator running a PowerShell script for routine maintenance or configuration
Filter/Exclusion: Filter by process.name containing powershell.exe and check for known admin scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: A legitimate malware analysis tool such as Cuckoo Sandbox or Joe Sandbox
Filter/Exclusion: Filter by process.name containing cuckoo or joe and check for sandbox-specific directories or environment variables.
Scenario: A third-party application like Docker or Kubernetes running containerized workloads
Filter/Exclusion: Filter by process.name containing docker or kube and check for container-related command-line arguments or parent process context.