SLServer campaign code

Hunt Hypothesis

The hypothesis is that the detection identifies potential SLServer campaign code execution, which may indicate initial compromise or payload delivery by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malicious activity and prevent further lateral movement or data exfiltration.

YARA Rule

rule SLServer_campaign_code
{
    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Searches for the related campaign code."
        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
    
    strings:
        $campaign = "wthkdoc0106"
        
    condition:
        //MZ header //PE signature
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $campaign
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system maintenance
  Description: A scheduled task runs a script that includes a string matching the YARA rule due to a common keyword used in maintenance scripts.
  Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "services.exe"

• Scenario: Admin using PowerShell to configure SLServer settings
  Description: An administrator uses PowerShell to configure SLServer settings, and the script includes a string that matches the YARA rule.
  Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "explorer.exe"

• Scenario: Deployment of a legitimate software update with embedded code
  Description: A software update package for SLServer includes a temporary script or configuration file that matches the YARA rule.
  Filter/Exclusion: file.name != "update_package.exe" or file.path != "C:\\Program Files\\SLServer\\updates\\"

• Scenario: Log file parsing or data extraction using a script
  Description: A script is used to parse log files or extract data, and the script contains a string that matches the YARA rule.
  Filter/Exclusion: process.name != "python.exe" or file.path != "C:\\Logs\\parser_script.py"

• Scenario: Internal tool for monitoring SLServer performance
  Description: A custom internal monitoring tool uses a script or configuration file that includes a string matching the YARA rule.
  Filter/Exclusion: process.name != "monitor_tool.exe" or file.path != "C:\\Tools\\monitor_tool\\config.yaml"