The Elex Service 64 bits detection rule identifies potential adversary activity involving the execution of a suspicious 64-bit service, which may indicate the deployment of malicious software or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that leverage service execution as part of their attack lifecycle.
YARA Rule
rule Trj_Elex_Service64
{
meta:
author = "Centro Criptológico Nacional (CCN)"
description = "Elex Service 64 bits"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
strings:
$mz = { 4d 5a }
$str1 = "http://xa.xingcloud.com/v4/sof-everything/"
$str2 = "http://www.mysearch123.com"
$str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma"
condition:
(pe.machine == pe.MACHINE_AMD64) and ($mz at 0) and ($str1) and ($str2) and ($str3)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system maintenance using Task Scheduler to run a 64-bit service cleanup
Filter/Exclusion: process.parent_process_name != "schtasks.exe"
Scenario: Windows Update installation triggering a 64-bit service to update system components
Filter/Exclusion: process.parent_process_name != "wuauclt.exe"
Scenario: Group Policy Object (GPO) refresh causing a 64-bit service to restart
Filter/Exclusion: process.parent_process_name != "gpupdate.exe"
Scenario: Windows Event Log service (EventLog) running a 64-bit process during log cleanup
Filter/Exclusion: process.parent_process_name != "eventlog.exe"
Scenario: System File Checker (SFC) running a 64-bit service to repair system files
Filter/Exclusion: process.parent_process_name != "sfc.exe"