The detection identifies potential Winnti rootkit activity through anomalous process behavior and registry modifications indicative of persistence and stealthy execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that evade traditional detection methods.
YARA Rule
rule Winnti_malware_Nsiproxy
{
meta:
description = "Detects a Winnti rootkit"
author = "Florian Roth"
date = "2015-10-10"
score = 75
hash1 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
hash2 = "cf1e006694b33f27d7c748bab35d0b0031a22d193622d47409b6725b395bffb0"
hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e"
hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f"
hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8"
strings:
$x1 = "\\Driver\\nsiproxy" fullword wide
$a1 = "\\Device\\StreamPortal" fullword wide
$a2 = "\\Device\\PNTFILTER" fullword wide
$s1 = "Cookie: SN=" fullword ascii
$s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide
$s3 = "Winqual.sys" fullword wide
$s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
$s5 = "http://www.wasabii.com.tw 0" fullword ascii
condition:
uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Legitimate system update via Windows Update
Description: A Windows Update installation may trigger behavior similar to a rootkit due to file modifications and registry changes.
Filter/Exclusion: Check for ProcessName = "wuauclt.exe" or FileVersion = "Windows Update" in the event logs.
Scenario: Scheduled Task for Patch Management
Description: A scheduled task running a patch management tool (e.g., Microsoft Endpoint Configuration Manager) may exhibit similar behavior to a rootkit.
Filter/Exclusion: Exclude processes associated with TaskName = "PatchManagementTask" or ProcessName = "msiexec.exe".
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Microsoft Defender or third-party solutions may perform deep scans that mimic rootkit detection activities.
Filter/Exclusion: Exclude processes with ProcessName = "MsMpEng.exe" or ProcessName = "avgnt.exe".
Scenario: System File Checker (SFC) or DISM Scan
Description: Running sfc /scannow or DISM can cause temporary file modifications that resemble rootkit activity.
Filter/Exclusion: Check for CommandLine = "sfc /scannow" or CommandLine = "DISM.exe /Online /Cleanup-Image".
Scenario: Admin Task for Registry Cleanup
Description: An administrator may manually modify the registry to remove obsolete entries, which can be mistaken for rootkit activity.
Filter/Exclusion: Exclude registry modifications made by ProcessName = "regedit.exe" or ProcessName = "reg.exe" with known admin tasks.