Backdoor Win64 Winnti Pharma

Hunt Hypothesis

The detection identifies potential adversary behavior involving a backdoor executable named Winnti Pharma, which may indicate unauthorized remote access or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to deeper network infiltration.

YARA Rule

rule WinntiPharma 
{

meta:
    author = "Jose Ramon Palanco"
    copyright = "Drainware, Inc."
    date = "2015-06-23"
    description = "Backdoor Win64 Winnti Pharma"
    ref = "https://securelist.com/blog/research/70991/games-are-over/"

strings:
    $s0 = "Cookie: SN="
    $s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
    $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
    $s3 = "master secret"
    $s4 = "MyEngineNetEvent"

condition:
    all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a legitimate script that downloads and executes a file named winnti.exe as part of a routine system update or patching process.
  Filter/Exclusion: Exclude processes initiated by powershell.exe where the command line includes -File and the script path is within a known trusted directory (e.g., C:\Windows\System32\ or C:\Program Files\).

• Scenario: A scheduled job is configured to run a legitimate maintenance tool (e.g., Microsoft Baseline Security Analyzer (MBSA)) that uses winnti.exe as part of its execution flow.
  Filter/Exclusion: Exclude processes launched by Task Scheduler with a known job name or path, such as C:\Windows\System32\schedsvc.exe or a specific job ID.

• Scenario: A third-party software update (e.g., Microsoft Endpoint Protection or Windows Defender) is deploying a legitimate executable named winnti.exe as part of a security patch or configuration change.
  Filter/Exclusion: Exclude processes initiated by known security software installers or update services, such as msiexec.exe, setup.exe, or WindowsUpdate.exe.

• Scenario: A remote management tool (e.g., Microsoft Intune, Microsoft Endpoint Manager, or System Center Configuration Manager) is using winnti.exe as part of a remote execution or configuration task.
  Filter/Exclusion: Exclude processes launched by remote management tools, such as microsoftedge.exe, intunewin.exe, or ccmexec.exe, or those with a known remote management context.

• Scenario: A development or testing environment is running a custom script or tool that temporarily uses `winnti.exe