The scriptkiddies rule detects potential malicious script activity commonly associated with low-skill adversaries leveraging readily available tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may indicate broader compromise.
YARA Rule
rule scriptkiddies {
strings:
$ = "[email protected]" nocase
$ = "CodersLeet" nocase
$ = "AgencyCaFc" nocase
$ = "IndoXploit" nocase
$ = "Kapaljetz666" nocase
condition:
any of them and filesize < 500KB
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to automate routine system updates.
Filter/Exclusion: Check for Process.Name containing “powershell.exe” and Process.CommandLine containing “Update-Script” or “Update-Module”.
Scenario: A scheduled job runs Ansible to configure multiple servers, which includes script-based tasks.
Filter/Exclusion: Filter by Process.Name containing “ansible-playbook” and check for known Ansible playbook files in the command line.
Scenario: A developer is using npm to install dependencies, which may include scripts in the package.json file.
Filter/Exclusion: Check for Process.Name containing “npm” and Process.CommandLine containing “install” or “scripts” in the command line.
Scenario: A security tool like OSSEC runs a script to monitor system logs and generate alerts.
Filter/Exclusion: Filter by Process.Name containing “ossec” and check for known OSSEC script paths in the command line.
Scenario: A DevOps engineer uses Chef to deploy configurations, which may involve script execution during node provisioning.
Filter/Exclusion: Filter by Process.Name containing “chef-client” and check for known Chef cookbook paths in the command line.