The Zc tool may indicate the use of a custom or less-known adversary tool for lateral movement or data exfiltration, which could bypass traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced threats that evade standard monitoring and response processes.
YARA Rule
rule Trojan_Win32_Plainst2
{
meta:
author = "Microsoft"
description = "Zc tool"
original_sample_sha1 = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2"
unpacked_sample_sha1 = "88ff852b1b8077ad5a19cc438afb2402462fbd1a"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016-04-12"
strings:
$str1 = "Connected [%s:%d]..."
$str2 = "reuse possible: %c"
$str3 = "] => %d%%\x0a"
condition:
$str1 and $str2 and $str3
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm" or process.name != "vbackup"
Scenario: Scheduled maintenance task using Windows Task Scheduler to run a clean-up script
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "services.exe"
Scenario: Admin performing a PowerShell script to manage user accounts or group policies
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "explorer.exe"
Scenario: Docker container running a legitimate application with elevated privileges
Filter/Exclusion: process.name != "docker" or process.parent.name != "containerd"
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: process.name != "ansible" or process.parent.name != "sshd"