The rootkit detection rule identifies potential adversary behavior involving hidden or stealthy malware execution that evades standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover sophisticated threats that may persist undetected in the environment.
YARA Rule
rule rootkit
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$sys1 = "sys_write" nocase ascii wide
$sys2 = "sys_getdents" nocase ascii wide
$sys3 = "sys_getdents64" nocase ascii wide
$sys4 = "sys_getpgid" nocase ascii wide
$sys5 = "sys_getsid" nocase ascii wide
$sys6 = "sys_setpgid" nocase ascii wide
$sys7 = "sys_kill" nocase ascii wide
$sys8 = "sys_tgkill" nocase ascii wide
$sys9 = "sys_tkill" nocase ascii wide
$sys10 = "sys_sched_setscheduler" nocase ascii wide
$sys11 = "sys_sched_setparam" nocase ascii wide
$sys12 = "sys_sched_getscheduler" nocase ascii wide
$sys13 = "sys_sched_getparam" nocase ascii wide
$sys14 = "sys_sched_setaffinity" nocase ascii wide
$sys15 = "sys_sched_getaffinity" nocase ascii wide
$sys16 = "sys_sched_rr_get_interval" nocase ascii wide
$sys17 = "sys_wait4" nocase ascii wide
$sys18 = "sys_waitid" nocase ascii wide
$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
$sys21 = "sys_prlimit64" nocase ascii wide
$sys22 = "sys_ptrace" nocase ascii wide
$sys23 = "sys_migrate_pages" nocase ascii wide
$sys24 = "sys_move_pages" nocase ascii wide
$sys25 = "sys_get_robust_list" nocase ascii wide
$sys26 = "sys_perf_event_open" nocase ascii wide
$sys27 = "sys_uname" nocase ascii wide
$sys28 = "sys_unlink" nocase ascii wide
$sys29 = "sys_unlikat" nocase ascii wide
$sys30 = "sys_rename" nocase ascii wide
$sys31 = "sys_read" nocase ascii wide
$sys32 = "kobject_del" nocase ascii wide
$sys33 = "list_del_init" nocase ascii wide
$sys34 = "inet_ioctl" nocase ascii wide
condition:
9 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 34 string patterns in its detection logic.
Scenario: System update or patch installation using WSUS (Windows Server Update Services)
Filter/Exclusion: Check for presence of wsus or update in the process name or command line, or filter by process parent (e.g., svchost.exe or wuauserv.exe).
Scenario: Scheduled job running PowerShell scripts for system maintenance or configuration management (e.g., Ansible, Chef, or Puppet)
Filter/Exclusion: Filter by process name powershell.exe with command line arguments containing ansible, chef, or puppet, or check for known legitimate scripts in a configured script directory.
Scenario: Logon session or remote desktop session initiated by an administrator using RDP (Remote Desktop Protocol)
Filter/Exclusion: Filter by process name mstsc.exe or rdpclip.exe, or check for presence of rdp in the command line, or correlate with known admin user logins.
Scenario: Disk imaging or forensic tool such as FTK Imager or EnCase being used by the SOC team for incident response
Filter/Exclusion: Filter by process name ftkimager.exe, encase.exe, or check for presence of forensic or incident response in the command line.
Scenario: Antivirus or endpoint protection tool such as Kaspersky, Bitdefender, or Malwarebytes performing a full system scan
Filter/Exclusion: Filter by process name kav.exe, bdagent.exe, or mbam.exe, or check for presence of scan, virus, or malware in the command line.