The detection rule identifies potential lateral movement or unauthorized access attempts through unusual network traffic patterns and suspicious process creation activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that may evade traditional detection methods.
YARA Rule
rule rtf_Kaba_jDoe
{
meta:
author = "@patrickrolsen"
maltype = "APT.Kaba"
filetype = "RTF"
version = "0.1"
description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
date = "2013-12-10"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
condition:
($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that involves querying and deleting temporary files.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line contains Cleanup-Item or Remove-Item with paths like C:\Windows\Temp\*.
Scenario: A database administrator is running a SQL Server Agent Job that periodically backs up and purges old log files.
Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the command line includes sqlagent -d or the file path contains C:\Program Files\Microsoft SQL Server\.
Scenario: A DevOps engineer is using Ansible to automate the cleanup of old Docker containers across multiple hosts.
Filter/Exclusion: Exclude events where the process name is ansible and the command line includes docker ps -a | grep 'Exited' | awk '{print $1}' | xargs docker rm or similar Docker cleanup commands.
Scenario: A security analyst is manually reviewing logs using LogParser to investigate potential security incidents, which may involve querying and deleting log files.
Filter/Exclusion: Exclude events where the process name is logparser.exe and the command line includes SELECT * FROM <log_file> or DELETE FROM <log_file>.
Scenario: A backup job using Veeam Backup & Replication is running and temporarily deletes old backup files to free up disk space.
Filter/Exclusion: Exclude events where the process name is veeam.exe and the command line includes Backup-VM or Delete-Backup with paths in the backup storage directory.