Elex Service 32 bits

Hunt Hypothesis

The Elex Service 32 bits detection rule identifies potential adversary activity involving the execution of a 32-bit service that may be used for persistence or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of systems running 32-bit services in a 64-bit environment.

YARA Rule

rule Trj_Elex_Service32 
{

    meta:
        author = "Centro Criptológico Nacional (CCN)"
        description = "Elex Service 32 bits"
        ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
        
    strings:
        $mz = { 4d 5a }
        $str1 = "http://xa.xingcloud.com/v4/sof-everything/"
        $str2 = "http://www.mysearch123.com"
        $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
        
    condition:
        (pe.machine == pe.MACHINE_I386) and ($mz at 0) and ($str1) and ($str2) and ($str3)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs the Elex Service 32-bit process as part of routine system maintenance.
  Filter/Exclusion: Check for CommandLine containing schtasks or Task Scheduler in the process command line.

• Scenario: Microsoft System File Checker (SFC) Scan
  Description: The Elex Service 32-bit process is triggered during an SFC scan to repair system files.
  Filter/Exclusion: Filter out processes with CommandLine containing sfc.exe or DISM.

• Scenario: Microsoft Update Installation
  Description: The Elex Service 32-bit process is invoked during a Windows Update installation or patching process.
  Filter/Exclusion: Check for CommandLine containing wusa.exe or WindowsUpdate.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus or endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Symantec) uses the Elex Service 32-bit process for scanning.
  Filter/Exclusion: Filter processes with CommandLine containing mpcmdrun.exe, mpengine.exe, or the name of the specific AV tool.

• Scenario: User-Initiated Administrative Task
  Description: An administrator manually starts the Elex Service 32-bit process to troubleshoot or configure a system component.
  Filter/Exclusion: Check for User field indicating a known admin account (e.g., Administrator, Domain Admin) and CommandLine containing net, reg, or msconfig.