Adversaries may use encrypted resources to enumerate files as part of lateral movement or data exfiltration, leveraging encrypted artifacts to avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert data access or persistence mechanisms.
YARA Rule
rule susp_file_enumerator_with_encrypted_resource_101 {
meta:
copyright = "Kaspersky Lab"
description = "Generic detection for samples that enumerate files with encrypted resource called 101"
hash = "2cd0a5f1e9bcce6807e57ec8477d222a"
hash = "c843046e54b755ec63ccb09d0a689674"
version = "1.4"
strings:
$mz = "This program cannot be run in DOS mode."
$a1 = "FindFirstFile" ascii wide nocase
$a2 = "FindNextFile" ascii wide nocase
$a3 = "FindResource" ascii wide nocase
$a4 = "LoadResource" ascii wide nocase
condition:
uint16(0) == 0x5A4D and
all of them and
filesize < 700000 and
pe.number_of_sections > 4 and
pe.number_of_signatures == 0 and
pe.number_of_resources > 1 and pe.number_of_resources < 15 and
for any i in (0..pe.number_of_resources - 1):
( (math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.8) and
pe.resources[i].id == 101 and
pe.resources[i].length > 20000 and
pe.resources[i].language == 0 and
not ($mz in (pe.resources[i].offset..pe.resources[i].offset + pe.resources[i].length))
)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to enumerate files during a routine system inventory or audit.
Filter/Exclusion: Check for the presence of Get-ChildItem or Get-Content in the command line, or filter by process name powershell.exe with a known administrative task context.
Scenario: A scheduled backup job is running and temporarily enumerates files as part of the backup process, including files with encrypted resources.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or Veritas NetBackup, or filter by scheduled task names containing “backup” or “snapshot”.
Scenario: A Windows Update or Group Policy deployment is executing and enumerates files as part of the update process.
Filter/Exclusion: Exclude processes like wuauclt.exe, msiexec.exe, or gpupdate.exe, or filter by the presence of known update-related command-line arguments.
Scenario: A software installation or uninstallation process (e.g., via msiexec or InstallShield) enumerates files as part of the installation or cleanup.
Filter/Exclusion: Exclude processes with msiexec.exe or setup.exe, or filter by command-line arguments related to installation or uninstallation.
Scenario: A third-party security tool (e.g., Malwarebytes, Bitdefender, or Kaspersky) performs a scan and enumerates files, including those with encrypted resources.
Filter/Exclusion: Exclude processes associated with known security tools, or filter by the presence of the tool’s executable name in the process list.