Detects a config text file used in data exfiltration in RUAG case

Hunt Hypothesis

A threat actor may be using a configuration text file to establish a data exfiltration mechanism in a RUAG-related attack, leveraging file-based communication for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration channels early in the attack lifecycle.

YARA Rule

rule RUAG_Exfil_Config_File 
{

  meta:
    description = "Detects a config text file used in data exfiltration in RUAG case"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60

  strings:
    $h1 = "[TRANSPORT]" ascii
    $s1 = "system_pipe" ascii
    $s2 = "spstatus" ascii
    $s3 = "adaptable" ascii 
    $s4 = "post_frag" ascii
    $s5 = "pfsgrowperiod" ascii
  
  condition:
    $h1 at 0 and all of ($s*) and filesize < 1KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://goo.gl/N5MEj0
• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job exporting configuration files
  Description: A legitimate scheduled backup job exports configuration files to a remote server as part of a routine data retention policy.
  Filter/Exclusion: process.name != "backup_tool.exe" OR file.path NOT LIKE "%backup%"

• Scenario: Admin manually configuring data export settings
  Description: An administrator manually edits a configuration file to adjust data export settings for a reporting tool (e.g., Splunk or Elasticsearch).
  Filter/Exclusion: user.name != "admin" OR process.name != "notepad.exe" OR file.path NOT LIKE "%config%"

• Scenario: Log file rotation or archiving process
  Description: A log rotation tool (e.g., logrotate) generates or moves configuration files as part of its archival process.
  Filter/Exclusion: process.name != "logrotate" OR file.path NOT LIKE "%logs%"

• Scenario: CI/CD pipeline configuration file generation
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) generates or updates configuration files during deployment as part of the build process.
  Filter/Exclusion: process.name NOT LIKE "%jenkins%" OR file.path NOT LIKE "%ci_cd%"

• Scenario: User-generated config file for application setup
  Description: A user creates or modifies a configuration file for a legitimate application (e.g., PostgreSQL, Nginx) during setup or customization.
  Filter/Exclusion: user.name NOT LIKE "%admin%" OR process.name NOT LIKE "%setup.exe%"