Internal names found in LURK0/CCTV0 samples

Hunt Hypothesis

Adversaries may use internal network names within malicious samples to evade detection or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities.

YARA Rule

rule SharedStrings : Family {
	meta:
		description = "Internal names found in LURK0/CCTV0 samples"
		author = "Katie Kleemola"
		last_updated = "07-22-2014"
	
	strings:
		// internal names
		$i1 = "Butterfly.dll"
		$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
		$i3 = "ETClientDLL"

		// dbx
		$d1 = "\\DbxUpdateET\\" wide
		$d2 = "\\DbxUpdateBT\\" wide
		$d3 = "\\DbxUpdate\\" wide
		
		// other folders
		$mc1 = "\\Micet\\"

		// embedded file names
		$n1 = "IconCacheEt.dat" wide
		$n2 = "IconConfigEt.dat" wide

		$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
		$m2 = "\x00\x00111\x00\x00" wide
		$m3 = "\x00\x00ETUN\x00\x00" wide
		$m4 = "\x00\x00ER\x00\x00" wide

	condition:
		any of them //todo: finetune this

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 13 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate a report using the command Get-EventLog -LogName System, which includes the word “System” in the log name.
  Filter/Exclusion: Exclude entries where the name appears in known system log names like System, Application, or Security.

• Scenario: A scheduled job runs nightly to clean up temporary files using a script that contains the string “CCTV0” in its log message for debugging purposes.
  Filter/Exclusion: Exclude entries where the name appears in scheduled job names or log messages that are part of standard maintenance scripts.

• Scenario: An IT admin is using Windows Task Scheduler to run a script named LURK0_cleanup.ps1 as part of a routine maintenance task.
  Filter/Exclusion: Exclude entries where the name appears in task scheduler job names or scripts that are known to be part of legitimate administrative workflows.

• Scenario: A database backup job uses a script that includes the string “CCTV0” in its configuration file for version control purposes.
  Filter/Exclusion: Exclude entries where the name appears in backup script configuration files or version control tags.

• Scenario: A network monitoring tool like Wireshark is configured to log packets with a filter named “LURK0” for internal reference.
  Filter/Exclusion: Exclude entries where the name appears in logging filters or internal reference tags used by network monitoring tools.