The Hacking Team RCS Scout detection rule identifies potential adversary behavior involving the use of a compromised or malicious device to gather information about a network, indicating reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage threats and prevent further exploitation of network resources.
YARA Rule
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or task scheduler) runs a script that temporarily elevates privileges or interacts with system services.
Filter/Exclusion: Check for process.parent.name == "schtasks.exe" or process.name == "taskhost.exe" and exclude based on known maintenance scripts or job names.
Scenario: Admin Task - User Account Creation
Description: An administrator creates a new user account using net user or PowerShell, which may trigger privilege escalation detection due to administrative actions.
Filter/Exclusion: Filter by process.name == "cmd.exe" or process.name == "powershell.exe" and check for command-line arguments like /c net user or New-LocalUser.
Scenario: Logon Session Creation via Remote Desktop
Description: A legitimate remote desktop session (e.g., mstsc.exe) creates a new logon session, which may be flagged due to similar behavior to lateral movement tools.
Filter/Exclusion: Filter by process.name == "mstsc.exe" or process.name == "tsclient.exe" and check for logon.session.type == "remote".
Scenario: Software Update Deployment via Group Policy
Description: A Group Policy update (e.g., gpupdate.exe) may trigger administrative actions that resemble malicious behavior.
Filter/Exclusion: Filter by process.name == "gpupdate.exe" or process.name == "gupdate.exe" and check for process.parent.name == "services.exe".
Scenario: Database Backup Job Execution
Description: A database backup job (e.g., SQL Server Agent job or sqlbackup.exe) may interact with system services or elevate privileges temporarily.
*Filter