Detects an embedded executable with a malformed header - known from Tavdig malware

Hunt Hypothesis

The hypothesis is that an adversary is attempting to execute a malicious payload by embedding a malformed executable within a legitimate file, leveraging the Tavdig malware’s technique to evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential stealthy malware execution attempts that bypass traditional signature-based detection.

YARA Rule

rule RUAG_Tavdig_Malformed_Executable 
{

  meta:
    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
    author = "Florian Roth"
    reference = "https://goo.gl/N5MEj0"
    score = 60
  
  condition:
  /* MZ Header and malformed PE header > 0x0bad */
    uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x0000AD0B 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://goo.gl/N5MEj0
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled job that generates a temporary file with a malformed header as part of a script debugging process.
  Filter/Exclusion: Exclude files created by PowerShell scripts with the PS extension or files generated by the schtasks.exe scheduler.

• Scenario: A Windows Update process temporarily creates a malformed header file during the installation of a driver or system update.
  Filter/Exclusion: Exclude files with the .cab, .msu, or .inf extensions, or files created by the wuauclt.exe process.

• Scenario: A build tool like MSBuild or Visual Studio generates a temporary executable file with a malformed header during the compilation of a project.
  Filter/Exclusion: Exclude files with the .tmp, .obj, or .pdb extensions, or files created by processes related to MSBuild or Visual Studio.

• Scenario: A backup tool such as Veeam or Commvault creates a malformed header file during the backup or restore process.
  Filter/Exclusion: Exclude files with the .bkp, .vbk, or .vmb extensions, or files created by processes related to Veeam or Commvault.

• Scenario: A system diagnostic tool like Procmon or Process Explorer generates a malformed header file while capturing file system activity.
  Filter/Exclusion: Exclude files with the .log, .pml, or .etl extensions, or files created by processes related to Procmon or Process Explorer.