The detection identifies potential Symantec Waterbug attack activity involving SAV malware, which may indicate adversary attempts to exploit compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule WaterBug_sav
{
meta:
description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition:
($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a maintenance script that uses symantec or SAV in its name, triggering the rule.
Filter/Exclusion: process.name != "symantec*" OR process.name != "SAV*" OR process.parent.name == "TaskScheduler"
Scenario: Symantec Endpoint Protection (SEP) Agent Update
Description: The SEP agent performs a routine update that includes the symantec or SAV executable, which is flagged by the rule.
Filter/Exclusion: process.name == "SEPagent.exe" OR process.name == "SAV.exe" OR process.parent.name == "svchost.exe"
Scenario: Admin Performing Symantec Configuration Backup
Description: An administrator uses a script or tool like Symantec Configuration Manager to back up configuration files, which includes symantec or SAV in the process name.
Filter/Exclusion: process.name == "SymantecConfigManager.exe" OR process.name == "SAVConfigTool.exe" OR user.name == "admin"
Scenario: PowerShell Script Using Symantec API for Reporting
Description: A PowerShell script runs to generate reports using the Symantec API, which includes symantec or SAV in the command line.
Filter/Exclusion: process.name == "powershell.exe" AND command_line NOT LIKE "%symantec%" AND command_line NOT LIKE "%SAV%"
Scenario: Legacy Tool for Symantec Log Analysis
Description: A legacy log analysis tool like Symantec Log Analyzer is used to process logs, which includes symantec or `SA