Scieron | SOC Hunt Feed

Hunt Hypothesis

The Scieron rule detects potential adversary behavior involving suspicious file artifacts that may indicate low-privilege persistence or initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule Scieron
{
    meta:
        author = "Symantec Security Response"
        ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
        date = "22.01.15"

    strings:
        // .text:10002069 66 83 F8 2C                       cmp     ax, ','
        // .text:1000206D 74 0C                             jz      short loc_1000207B
        // .text:1000206F 66 83 F8 3B                       cmp     ax, ';'
        // .text:10002073 74 06                             jz      short loc_1000207B
        // .text:10002075 66 83 F8 7C                       cmp     ax, '|'
        // .text:10002079 75 05                             jnz     short loc_10002080
        $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
        
        // .text:10001D83 83 F8 09                          cmp     eax, 9          ; switch 10 cases
        // .text:10001D86 0F 87 DB 00 00 00                 ja      loc_10001E67    ; jumptable 10001D8C default case
        // .text:10001D8C FF 24 85 55 1F 00+                jmp     ds:off_10001F55[eax*4] ; switch jump
        $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
        
        $str1  = "IP_PADDING_DATA" wide ascii
        $str2  = "PORT_NUM" wide ascii
        
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled System Backup Using Veeam
Description: A legitimate scheduled backup job using Veeam may trigger the rule due to similar file patterns or behavior.
Filter/Exclusion: Exclude processes related to veeam or Veeam Backup & Replication using the process name or command line arguments.
Scenario: Windows Update Task via Task Scheduler
Description: A Windows Update task initiated by the Task Scheduler may generate network traffic or file system activity that matches the rule.
Filter/Exclusion: Exclude processes with schtasks.exe or taskhost.exe and filter by known Windows Update endpoints (e.g., wsus or update.microsoft.com).
Scenario: Log File Rotation by Logstash
Description: Logstash may rotate log files, which can create temporary files or directory changes that trigger the rule.
Filter/Exclusion: Exclude processes related to logstash or filter by paths under /var/log or similar log directories.
Scenario: Database Backup Using MySQL
Description: A MySQL database backup operation may involve file system activity that resembles malicious behavior.
Filter/Exclusion: Exclude processes with mysqldump or mysql and filter by paths in the MySQL data directory (e.g., /var/lib/mysql).
Scenario: Antivirus Scan Using Windows Defender
Description: Windows Defender may scan files and generate network traffic or file system changes that match the rule.
Filter/Exclusion: Exclude processes with MsMpEng.exe or filter by known Windows Defender endpoints (e.g., Microsoft Defender ATP).