Malware may be spreading laterally within the network by transferring files between hosts. SOC teams should proactively hunt for this behavior to identify and contain potential lateral movement and exfiltration attempts in their Azure Sentinel environment.
YARA Rule
rule spreading_file {
meta:
author = "x0r"
description = "Malware can spread east-west file"
version = "0.1"
strings:
$f1 = "autorun.inf" nocase
$f2 = "desktop.ini" nocase
$f3 = "desktop.lnk" nocase
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system backup job using Veeam Backup & Replication transfers large files between servers in the same subnet.
Filter/Exclusion: Exclude file transfers initiated by the veeambackup process or files with the .vib or .vbk extensions.
Scenario: Administrative task to copy configuration files between Windows servers using Robocopy for redundancy.
Filter/Exclusion: Exclude file transfers initiated by the robocopy command or files with known configuration file extensions like .xml, .cfg, or .ini.
Scenario: Log shipping between SQL Server instances using SQL Server Agent Jobs to replicate logs across the same network segment.
Filter/Exclusion: Exclude file transfers initiated by the sqlservr process or files with the .log or .trn extensions.
Scenario: Software update deployment using Microsoft Endpoint Configuration Manager (MECM) that pushes updates to multiple machines in the same domain.
Filter/Exclusion: Exclude file transfers initiated by the ccmexec process or files with the .msu or .cab extensions.
Scenario: Data synchronization between Linux servers using rsync for real-time data replication.
Filter/Exclusion: Exclude file transfers initiated by the rsync process or files with the .sync or .tmp extensions.