Match Windows Inet API library declaration

Hunt Hypothesis

Adversaries may use Windows Inet API library declarations to load malicious code or establish network communication, which could indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware execution or exfiltration attempts that may evade traditional detection methods.

YARA Rule

rule Str_Win32_Wininet_Library
{

    meta:
        author = "@adricnet"
        description = "Match Windows Inet API library declaration"
        method = "String match"
        reference = "https://github.com/dfirnotes/rules"

    strings:
        $wininet_lib = "WININET.dll" nocase

    condition:
        (all of ($wininet*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://github.com/dfirnotes/rules
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to script a network-related task, such as downloading a configuration file using Invoke-WebRequest or Start-Process with cmd.exe and curl.exe.
  Filter/Exclusion: Check for the presence of PowerShell in the process name or command line, or filter by ProcessName = "powershell.exe".

• Scenario: A scheduled job runs a script that uses the Inet API for legitimate purposes, such as updating software or fetching data from a company server.
  Filter/Exclusion: Exclude processes associated with scheduled tasks by checking the LogonUser field or using a filter like ProcessStartName contains "schtasks".

• Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task is running in the background, which may involve network calls using the Inet API.
  Filter/Exclusion: Filter by ProcessName = "wuauclt.exe" or ProcessName = "MsMpEng.exe" (for Microsoft Defender).

• Scenario: A developer is using Visual Studio or Postman to test API calls, which may involve the Inet API internally.
  Filter/Exclusion: Exclude processes with ProcessName = "devenv.exe" or ProcessName = "Postman.exe".

• Scenario: A remote desktop session or Terminal Services client is making network requests through the Inet API as part of normal user activity.
  Filter/Exclusion: Filter by LogonUser or ProcessStartName contains "mstsc.exe" to identify remote sessions.