The Hacking Team RCS Backdoor detection rule identifies potential adversary persistence by leveraging a known backdoor mechanism, indicating possible unauthorized long-term access to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate covert, persistent threats that may evade traditional detection methods.
YARA Rule
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that includes base64 encoded commands, which may trigger the rule due to similarity with encoded payloads.
Filter/Exclusion: Check for task scheduler or schtasks.exe in the process tree, and filter by command line containing schtasks /create or schtasks /run.
Scenario: Admin using PowerShell to encode commands for remote execution
Description: An administrator uses ConvertTo-Base64 in PowerShell to encode a command for remote execution, which may resemble the encoding patterns seen in the Hacking Team RCS Backdoor.
Filter/Exclusion: Filter by PowerShell process and check for ConvertTo-Base64 in the command line, or exclude processes with powershell.exe where the user is a known admin.
Scenario: Legitimate use of msiexec.exe for software deployment
Description: A deployment tool uses msiexec.exe with base64 encoded arguments to install software, which may be flagged due to the presence of encoded data.
Filter/Exclusion: Filter by msiexec.exe and check for msiexec /i in the command line, or exclude processes associated with known deployment tools like SCCM or Microsoft Endpoint Manager.
Scenario: Encoded log file parsing by a log management tool
Description: A log management tool (e.g., Splunk, ELK) decodes and parses base64 encoded log entries, which may trigger the rule due to the presence of encoded strings.
Filter/Exclusion: Filter by log parsing tools or check for base64 in the command line of the log processing process.
Scenario: Internal tool using base64 for data obfuscation