SLServer command and control

Hunt Hypothesis

The SLServer command and control rule detects potential adversary use of a custom C2 protocol to establish persistent communication with compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity that may evade traditional detection methods.

YARA Rule

rule SLServer_command_and_control
{
   
    meta:
        author = "Matt Brooks, @cmatthewbrooks"
        desc = "Searches for the C2 server."
        ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/"
    
    strings:
        $c2 = "safetyssl.security-centers.com"
        
    condition:
        //MZ header //PE signature
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $c2
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job execution
  Description: A system administrator schedules a legitimate maintenance task using schtasks.exe that includes the string “SLServer” in the script or command line.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or script path, e.g., C:\Windows\System32\schtasks.exe /create /tn "MaintenanceJob" /tr "C:\scripts\maintenance.bat".

• Scenario: Admin task using PowerShell with SLServer in script
  Description: An administrator runs a PowerShell script that includes the term “SLServer” as part of a variable or log file name, such as Get-EventLog -LogName SLServerLogs.
  Filter/Exclusion: Exclude PowerShell scripts executed by administrators with a known legitimate script path, e.g., C:\scripts\admin_tasks.ps1 run by powershell.exe with -Command or -File parameters.

• Scenario: Log file parsing or monitoring tool
  Description: A log management tool like Splunk or ELK is parsing logs and includes the term “SLServer” in a log message or configuration file.
  Filter/Exclusion: Exclude processes related to log parsing tools (e.g., splunkforwarder.exe, logstash.exe) or files containing log-related keywords like “log”, “syslog”, or “eventlog”.

• Scenario: Internal tool for server communication
  Description: A company-developed internal tool named “SLServer” is used for internal communication between servers, such as a custom API or messaging system.
  Filter/Exclusion: Exclude processes with a known internal tool name and path, e.g., C:\InternalTools\SLServer.exe or processes initiated by a trusted internal service account.

• **Scenario: False positive from