Auto-generated rule - file SHF-000052 and ndisips.sys

Hunt Hypothesis

The detection identifies potential unauthorized modification or execution of the ndisips.sys file, which could indicate tampering with network driver components. SOC teams should proactively hunt for this behavior to detect early signs of malware persistence or privilege escalation attempts in their Azure Sentinel environment.

YARA Rule

rule Regin_Sample_Set_1 
{

    meta:
        description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
        author = "@MalwrSignatures"
        date = "26.11.14"
        hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
        hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"      

    strings:
        $s0 = "HAL.dll" fullword ascii
        $s1 = "IoGetDeviceObjectPointer" fullword ascii
        $s2 = "MaximumPortsServiced" fullword wide
        $s3 = "KeGetCurrentIrql" fullword ascii
        $s4 = "ntkrnlpa.exe" fullword ascii
        $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
        $s6 = "ConnectMultiplePorts" fullword wide
        $s7 = "\\SYSTEMROOT" fullword wide
        $s8 = "IoWriteErrorLogEntry" fullword ascii
        $s9 = "KeQueryPerformanceCounter" fullword ascii
        $s10 = "KeServiceDescriptorTable" fullword ascii
        $s11 = "KeRemoveEntryDeviceQueue" fullword ascii
        $s12 = "SeSinglePrivilegeCheck" fullword ascii
        $s13 = "KeInitializeEvent" fullword ascii
        $s14 = "IoBuildDeviceIoControlRequest" fullword ascii
        $s15 = "KeRemoveDeviceQueue" fullword ascii
        $s16 = "IofCompleteRequest" fullword ascii
        $s17 = "KeInitializeSpinLock" fullword ascii
        $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
        $s19 = "IoCreateDevice" fullword ascii
        $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
   
    condition:
        all of them and filesize < 40KB and filesize > 30KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 21 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Windows Update or Microsoft Defender scheduled scan
  Filter/Exclusion: process.parent_process != "svchost.exe" OR process.parent_process != "WindowsUpdate.exe" OR process.parent_process != "MsMpEng.exe"

• Scenario: System file integrity check using DISM or SFC
  Filter/Exclusion: process.name != "dism.exe" AND process.name != "sfc.exe"

• Scenario: Network driver installation via Windows Device Manager
  Filter/Exclusion: process.name != "devmgmt.msc" AND process.name != "setupapi.exe"

• Scenario: Scheduled backup or system image creation using VSS (Volume Shadow Copy Service)
  Filter/Exclusion: process.name != "vssvc.exe" AND process.name != "wbemcons.exe"

• Scenario: Antivirus or endpoint protection software performing a full system scan
  Filter/Exclusion: process.name != "mpsvc.exe" AND process.name != "mcafee.exe" AND process.name != "avgnt.exe"