The detection identifies potential Stuxnet malware activity through a specific file hash, indicating an adversary may be leveraging this sophisticated malware for targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that could compromise critical infrastructure.
YARA Rule
rule Stuxnet_Malware_4
{
meta:
description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
author = "Florian Roth"
reference = "Internal Research"
date = "2016-07-09"
hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c"
strings:
$x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii
$x2 = "MRxCls.sys" fullword wide
$x3 = "MRXNET.Sys" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using Windows Task Scheduler to run a legitimate maintenance script that has a hash matching the rule.
Filter/Exclusion: Check for process.parent_process_name == "schtasks.exe" or process.parent_process_path == "C:\Windows\System32\schtasks.exe"
Scenario: A Microsoft System Center Configuration Manager (SCCM) deployment is distributing a legitimate update or patch that coincidentally matches the hash.
Filter/Exclusion: Check for process.parent_process_name == "smsts32.exe" or process.parent_process_path == "C:\Windows\System32\smsts32.exe"
Scenario: A Windows Update installation is occurring, and the update package contains a file with the same hash due to a known hash collision or misidentification.
Filter/Exclusion: Check for process.parent_process_name == "wuauclt.exe" or process.parent_process_path == "C:\Windows\System32\wuauclt.exe"
Scenario: A Windows Defender Offline scan is running and temporarily detects a file with the same hash as the rule, but it is a benign file.
Filter/Exclusion: Check for process.parent_process_name == "MsMpEng.exe" or process.parent_process_path == "C:\Windows\System32\MsMpEng.exe"
Scenario: A third-party endpoint protection tool (e.g., Kaspersky, Bitdefender) is performing a scan and generates a false positive due to a hash match.
Filter/Exclusion: Check for process.parent_process_name == "kavsvc.exe" or process.parent_process_path == "C:\Program Files\Kaspersky Lab\Kaspersky Endpoint Security\kavsvc.exe" (example for Kaspersky)