The rule detects potential lateral movement by identifying unusual network traffic patterns that may indicate an adversary moving within the network. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage threats before they escalate in an Azure Sentinel environment.
YARA Rule
rule rtf_yahoo_ken
{
meta:
author = "@patrickrolsen"
maltype = "Yahoo Ken"
filetype = "RTF"
version = "0.1"
description = "Test rule"
date = "2013-12-14"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
condition:
($magic1 or $magic2 or $magic3 at 0) and $author1
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the source process is veeam.exe or vmrun.exe and the destination path contains backup or vmbackup.
Scenario: Regular Windows Update installation via Group Policy
Filter/Exclusion: Exclude events where the process is wuauclt.exe and the event description contains “Windows Update” or “Group Policy”.
Scenario: PowerShell scheduled task for log rotation or cleanup
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes logrotate.ps1, Cleanup-Logs.ps1, or similar script names.
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Exclude events where the process is ansible.exe and the command line includes --playbook with paths like config_mgmt.yml or site.yml.
Scenario: SQL Server Agent Job running maintenance tasks
Filter/Exclusion: Exclude events where the process is sqlagent.exe and the job name contains Maintenance, Index, or Backup.