The hypothesis is that the detected activity represents an adversary using a malicious sample associated with the operation Woolen-Goldfish to establish a foothold in the network. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging this specific malware sample.
YARA Rule
rule WoolenGoldfish_Generic_2
{
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
strings:
$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate scheduled system update via Windows Server Update Services (WSUS)
Filter/Exclusion: Check the destination field for known WSUS update servers or filter by process.name to exclude wuauclt.exe or svchost.exe associated with Windows Update.
Scenario: Admin performing a disk cleanup using Disk Cleanup tool (cleanmgr.exe)
Filter/Exclusion: Filter by process.name to exclude cleanmgr.exe or use a process.parent.name check to ensure the process is initiated from a known administrative tool or command line.
Scenario: Automated backup job using Veeam Backup & Replication
Filter/Exclusion: Use a process.name filter to exclude veeam.exe or check the destination field for known backup storage locations managed by Veeam.
Scenario: User accessing a legitimate phishing link during a security awareness training exercise
Filter/Exclusion: Filter by user.email to exclude internal training email addresses or use a destination field check to exclude known training phishing URLs used in the organization’s security program.
Scenario: Legitimate software deployment via Microsoft Intune or Configuration Manager (SCCM)
Filter/Exclusion: Filter by process.name to exclude msiexec.exe or setup.exe associated with known enterprise deployment tools, or check the destination field for known deployment servers.