The success_fail_codes rule detects potential obfuscation or evasion tactics where adversaries may use success and failure status codes to mask malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate subtle indicators of compromise that may bypass traditional detection mechanisms.
YARA Rule
rule success_fail_codes_fallchill
{
meta:
description = "success_fail_codes"
ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
strings:
$s0 = { 68 7a 34 12 00 }
$s1 = { ba 7a 34 12 00 }
$f0 = { 68 5c 34 12 00 }
$f1 = { ba 5c 34 12 00 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System update via Windows Update
Description: A legitimate system update process may generate success/failure codes that match the rule’s criteria.
Filter/Exclusion: process.name != "wuauclt.exe" OR process.name != "msiexec.exe"
Scenario: Scheduled backup job execution
Description: A backup tool like Veeam or Acronis may report success/failure codes during a scheduled backup, triggering the rule.
Filter/Exclusion: process.name != "veeam.exe" OR process.name != "acronis.exe"
Scenario: Admin task using PowerShell for system maintenance
Description: An administrator may run a PowerShell script that returns success/failure codes during routine maintenance tasks.
Filter/Exclusion: process.name != "powershell.exe" OR event_id != "41"
Scenario: Logon/logout events with success/failure status
Description: Windows logon/logoff events may include success/failure codes that match the rule’s logic.
Filter/Exclusion: event_id != "4624" AND event_id != "4625"
Scenario: Application health check via monitoring tool
Description: A monitoring tool like Nagios or Datadog may send success/failure status codes to the system, triggering the rule.
Filter/Exclusion: process.name != "nagios.exe" OR process.name != "datadog-agent.exe"